Rules between interfaces/switch ports

swemattias

A generic question I know, I have tried to read up on it, watch videos still I fail.

If I activate the switch on my SG2100 no one has internet. I have tried to allow traffic between the interfaces but it doesn't seem to work.

When I switch back to the simple setup, the one with a dump switch, the rules between the vlans works just fine.

For some reason Netgates great documentation on this subject it does function with my brain. So what I am asking for is a great blog post about how to do it, or a great YT video.

And for those wondering what I am trying to achieve:
port 0 Internet IN
port 1 server lan
port 2 wlan (Unifi)
port 3 dmz

Port 1-2 should have internet and to talk to each other.
Port 3 only internet, isolated from the rest.

This should not be that hard. I am feeling really stupid for not making this work.

viragomann

@swemattias
Do you have internet access at least?

Consider that your devices might block access from out of their own subnet by default. You may have to add firewall rules on the devices themself to allow access.

swemattias

@viragomann That I do know. The issue I am having is the FW rules. No internet that is the main issue.

So I am doing rules.... these 2 are the toe first, for internet from two interfaces.

Protocol *
Source Server-LAN
Port *
Destination WAN net
Port *
Gateway *
Queue *
Schedule *

Protocol *
Source Internal-LAN
Port *
Destination WAN net
Port *
Gateway *
Queue *
Schedule *

That is from IN to OUT, do I need something OUT to IN?

viragomann

@swemattias
You set the destination wrong. It has to be "any".

"WAN net" is not the internet. It's only the subnet assigned to WAN interface.

swemattias

@viragomann ok!
Now when you say it, it do make sense.
Just bear with me I need to get this into my head.

So from whatever assigned interface to any, do I don’t need to set destination to the wan interface?
Any seems so hmmm not exact if you catch my drift.

So what if I want to open a port from wan to server lan. What will the rule look like then?

viragomann

@swemattias
You have to add your firewall rule to the interface where the traffic is coming into pfSense. So to pass or block traffic from LAN devices you add the rule to LAN.

The destination can be a single IP, a network (subnet) or any. For internet access you need even any, because the IPs in the internet enfold almost the whole address space. So no other way here.

What you're presumably concerning might be to give one subnet access to the internet, but not to the LAN.
To achieve this you have to remember that pfSense probes the rules from the top to the bottom. If one matches the conditions it is applied and further rules are omitted.

So you have to add multiple rules for this. At least one block and one pass rule.
At the top of the rule set add a block rule for the destination of LAN network.
Below add a pass rule with destination "any".
Now if the destination in a packet is out of the LAN network the packet is blocked, otherwise it's passed.

But instead of blocking LAN network only it's often rather desired to block access to all internal networks. A good advice to achieve this is to adding a network alias (Firewall > Aliases > IP, type "network") and adding all RFC 1918 networks to it. Call it RFC1918 and use this alias as destination in the block rule.
With this you're still save, when you add a subnet to your setup or change a network space.

So what if I want to open a port from wan to server lan. What will the rule look like then?

For inbound traffic the things might be more clear. Here has only the source to be "any", assuming you can't state it. The destination will be "WAN address", because the packet goes to it, and you will state a specific destination port. For instance for HTTPS, the dest. port is 443.
The source port has to be "any" as well!