Block Internal vLan from accessing Web UI

unififcf

hello,

I was wondering how to block my vLan 20 from accessing the web UI of a file server?

I still need them to connect to the server using mapped network drives but not open a browser and typing: 192.168.20.XX to get to the web UI.

Not sure how to do that.

any help would be great. I have tried several ways and nothing seems to work.

Action: Block
Interface: vlan 20
Protocol: Any
Source: vlan 20 net
Destination: Single Host or Alias: 192.168.20.XX
Port: 80

and setup a duplicate as above with:
Port 443

I have tried
Protocol: TCP, also TCP/UDP, and UDP
Source *using a single ip in vlan 20

I can't seem to figure it out.

A Former User

@unififcf ok i'm here to help you!

Could you post your firewall rule please.

johnpoz

@unififcf This file server in a different vlan? Seems like your trying to block a device in vlan 20 from talking to another device in vlan 20.. Pfsense has zero to do with that communication. So no you can not block it at pfsense.

You would need to do that via this servers host firewall, or move that server to a different vlan so that its routed across pfsense, then you could filter access via firewall rules on pfsense.

A Former User

@johnpoz said in Block Internal vLan from accessing Web UI:

So no you can not block it at pfsense.

Because he can not?

johnpoz

@silence pfsense has zero to do with something on network talking to other stuff on the same network.. Pfsense wouldn't ever see the traffic..

unififcf

traffic can not be blocked within the same vLan is what I am hearing here.

I guess then, to move it to another vLan to be able to block the webUI and still be able to map it as a network drive?

A Former User

@unififcf,

Never let others tell you that you can't, always positive.
try the following then you can create your blocking rule inside vlan 20

johnpoz

@silence sorry but NO dude... It doesn't work that way.. Never has never will.

When the IP is on the same network, the device arps for it, and then sends the traffic to that mac address. In no scenario would traffic be sent to pfsense.

This is basic 101 networking..

You can create whatever rules you want on pfsense - but the traffic is never sent to pfsense to be able to allow or block.. Or nat or forward or anything - Just doesn't work that way.

The device would only send traffic to pfsense, when the destination IP is not on the same network its on..

SteveITS

@unififcf said in Block Internal vLan from accessing Web UI:

move it to another vLan to be able to block the webUI and still be able to map it as a network drive?

Does the file server have its own firewall for this web interface? You might consider blocking access with that, except from desired IPs.

unififcf

@SteveITS

Sorry the file server does not have it's own firewall....had to do some research there...but after reading and trying the option from @Silence (just had to try it...LOL) it does seem like @johnpoz is right. Looking up and reading my CCNA book I ordered (and just got by the way...LOL), for the understanding of how it works...since it is on the same vLan, it won't "route" through pfSense, but only goes through the switches that are in the same vLan. (hopefully my understanding is correct)

so....bruh...looks like I am gonna have to pitch it to the upper mgmt that we will have to move it to another vLan and grant the firewall rules to allow access only to that server and block any webui. tested it with our vpn and seems to allow network mapping via network drive and blocks the webui. I just have to figure out how to push it to everyone...shouldn't be too bad though, not very many users on this server.

thanks for everyone's input.

johnpoz

@unififcf said in Block Internal vLan from accessing Web UI:

Sorry the file server does not have it's own firewall

How is that? Every OS has a firewall, even appliances like your simple home nas, etc. While it might not be enabled..

But for overall management, etc prob best to move it to different vlan. This makes it simple to allow or block what you want right at pfsense. And not have to worry about specific settings in the host

dma_pf

@unififcf said in Block Internal vLan from accessing Web UI:

since it is on the same vLan, it won't "route" through pfSense, but only goes through the switches that are in the same vLan. (hopefully my understanding is correct)

Yeah this is correct. Pfsense will not route traffic in the same network, all of that traffic is handled on the switch level and pfsense never sees it.

unififcf

@johnpoz I am going by what I was told by those who work on the server...they said it is a TrueNAS, and I honestly know very little about it, so have to trust others.

yeah, kind of new in the firewall game as I only did CSR before, simple application and networking fixes.

johnpoz

@unififcf said in Block Internal vLan from accessing Web UI:

they said it is a TrueNAS

Ah - yeah they do not have a "gui" to admin it, but you can for sure configure ipfw on it and manually setup the rules. Haven't played with that in long time.

But ipfw can be its own learning curve for sure - yeah best to move that to different vlan than all your users and just use pfsense.