Allow or block internet access

hardware_bxl

With many other firewall systems you can simply create a rule like:
ALLOW/BLOCK any LAN -> any WAN

but with pfSense the WAN interface cannot be used like that.
In many examples that I find on the net, I see the following guidelines to get around this:

1. Create Alias RFC1918 and add the corresponding networks (NET_RFC1918).
2. Create a rule like:
   ALLOW/BLOCK any LAN -> any !NET_RFC1918

Although this is a nice workaround and it does the job of allowing or blocking WAN/internet access, i feel it is not the correct way.

Say you want to block internet for device_A on IP_device_A:
BLOCK IPv4* IP_device_A * !NET_RFC1918 * * none
description: "Blocks internet for device A"

this is not 100% correct, as it blocks EVERYTHING except for the RFC1918 networks, so that means if your device would multicast for discovery on the network, this would be blocked as well and you lose functionality if you not allow this separately.

So would you also need to include:
224.0.0.0 - 239.255.255.255 (is that RFC1112 or RFC5771 ??)

but is that all you need to include?
and also, if you include this in your alias to 'describe internet/wan access', then you also need to make a rule to allow/block this for the local net.

So what would be the complete and correct way to 'describe internet/wan access' if you want to exclude all local addresses?

And second, is there a better way to do this?

SteveITS

@hardware_bxl said in Allow or block internet access:

if your device would multicast for discovery on the network

If it's multicast on the LAN network the device is on, the firewall rules are not involved since traffic within a network doesn't go through the router/firewall.

Another method would be to not have a gateway set on the device, so it can't get out of the network.

hardware_bxl

@steveits said in Allow or block internet access:

@hardware_bxl said in Allow or block internet access:

if your device would multicast for discovery on the network

If it's multicast on the LAN network the device is on, the firewall rules are not involved since traffic within a network doesn't go through the router/firewall.

Yes, I was told this before. Is it different when the device is on WiFi? Because in my test setup with a wireless printer, the multicast (mdns) are clearly blocked by the firewall and need rules to allow. So how would it work on such a situation?

As for the no gateway solution, I have a default option and the wan gateway, should I create a dummy gateway for this to work? It how would I set no gateway for an interface?

Thanks for explaining.

SteveITS

@hardware_bxl You'd not set a gateway on the device so each PC. It's not ideal security-wise because someone could set one someday and get out. But, if they can do that they could also set their own static IP.

Any local traffic is local. Anything destined elsewhere is sent to the device's gateway (the pfSense) to route. It's probably just noise because pfSense is seeing the multicast, along with the other PCs. Usually I turn off logging for the default block rule to avoid a lot of log noise.

If the wireless network is the same as LAN then they are the same network.

hardware_bxl

@steveits

Well it's not just noise in my test setup it seems.
I have a wireless printer (that is my test device) and i am trying to block access to the WAN (internet) for this device.

With no other rules regarding the printer, it can indeed not access the WAN/internet.
BUT: it is also not discoverable on the net.
When examining the packets blocked by the rule, I also see mdns traffic blocked.

If and only if I allow UDP * 224.0.0.251 5353 on top of this rule, then the printer is discoverable again.
So that is saying to me, it is not just noise, at least not in my test setup, which is not uncommon situation imo.

hardware_bxl

@steveits

I will test this with a different setup and a wired device. It seems weird to me also that the multicast should be routed.
Will update later.

johnpoz

@hardware_bxl said in Allow or block internet access:

It seems weird to me also that the multicast should be routed.

Its not.. Allowing that on the firewall would only come into play if your trying to use discovery across vlans with say avahi.

AndyRH

@hardware_bxl said in Allow or block internet access:

As for the no gateway solution, I have a default option and the wan gateway, should I create a dummy gateway for this to work? It how would I set no gateway for an interface?

You can assign an address to the printer in DHCP and set option 3 to 'null' and the device will not receive a gateway.

hardware_bxl

@andyrh said in Allow or block internet access:

@hardware_bxl said in Allow or block internet access:

As for the no gateway solution, I have a default option and the wan gateway, should I create a dummy gateway for this to work? It how would I set no gateway for an interface?

You can assign an address to the printer in DHCP and set option 3 to 'null' and the device will not receive a gateway.

Yes ok I thought of that, SteveITS already explained that security-wise it's not ideal, but that is an option yes.