Firewall Rule for a single device

FrankZappa · Sep 21, 2022, 10:20 AM

I have my network segmented with 3 VLANs. VLAN's cannot speak to each other per firewall rules. However, I'd like my primary VLAN to speak to a single device on the other VLAN (Minecraft server that displays the Minecraft map). However, I'm not interested in the Minecraft server being able to access my primary VLAN. Is this possible?

Gertjan · Sep 21, 2022, 10:32 AM

@frankzappa said in Firewall Rule for a single device:

Is this possible?

That's what a firewall is all about.

You have these rules :

@frankzappa said in Firewall Rule for a single device:

VLAN's cannot speak to each other per firewall rules

On the interface where resides the minecraft client, add a first rule, with
Source IP == the IP of the client (PC)
Destination IP == the IP of the server
Destination port : the port on which the server listens.
Protocol : the protocol the server uses, UDP or TCP (or both ?)
Make this a "pass" rule.

FrankZappa · Sep 22, 2022, 2:52 AM

Thanks. That worked. However, not sure if Minecraft Server can communicate with LAN (I know LAN can communicate with Minecraft Server). Is it a one-way street?

Jarhead · Sep 22, 2022, 2:52 AM

@frankzappa You would have to add a rule on the vlan port also.

Gertjan · Sep 22, 2022, 5:20 AM

@frankzappa said in Firewall Rule for a single device:

However, not sure if Minecraft Server can communicate with LAN

A "server" application gets contacted by a client.
Web servers are never contacting you (your web browser, this is a client) : you take the initiative with the browser.
A mail server doesn't send you your mails, you use a mail client to interrogate your mail server..
Etc.
A server type applications just listens and waits for demands.

Your minecraft server should probably have access to the Internet, so it can look up the time, check for updates, and that kind of stuff. It most probably doesn't need to contact anything on your LAN or else where to work.

Lets get back to this question :

@frankzappa said in Firewall Rule for a single device:

However, I'd like my primary VLAN to speak to a single device on the other VLAN (Minecraft server that displays the Minecraft map)

Change

@gertjan said in Firewall Rule for a single device:

Source IP == the IP of the client (PC)

for

Now all device on your LAN (NETwork) can access the minecraft server.

You need also to understand what a state full firewall is.

FrankZappa · Sep 22, 2022, 9:47 AM

Thanks Gertjan. Most helpful. I read up on stateful firewalls as well. pfSense does some pretty cool stuff. I learn something new every day. I guess my biggest concern was "if" some hacker got into the Minecraft server, could the hacker then access my main network, even though they are segmented VLAN's? Still not clear on that. Thanks

OpIT GmbH · Sep 22, 2022, 9:58 AM

if you dont have an allow rule in your minecraft vlan to access your main LAN, than not

FrankZappa · Sep 22, 2022, 10:07 AM

Thanks!!!!!

Gertjan · Sep 22, 2022, 1:25 PM

@frankzappa said in Firewall Rule for a single device:

I read up on stateful firewalls as well. pfSense does some pretty cool stuff.

pfSense, using the FreeBSD firewall called 'pf', Or a Linux based OS using 'iptables', the firewall Windows uses in your PC, they are all statefull these days. Thy do all the same thing, rules are the same.

@frankzappa said in Firewall Rule for a single device:

got into the Minecraft server, could the hacker then access my main network

Noop.
Like any other device on any LAN, nothing can be be contacted from the WAN interface (or something behind the WAN interface, like the entire Internet).
Because

you have no rules on your WAN interface
the default firewall behaviour on an interface is : block all incoming traffic.

Keep in mind : "rules on a WAN interface" controls traffic that "enters" that physical interface, these RJ45 plugs you have on your pfSense box..
"Enters" means : from somewhere into the interface, into the pfSense 'box'.
There can also be outgoing traffic, and outgoing traffic is not handled directly by firewall rules for that interface.

FrankZappa · Sep 22, 2022, 3:08 PM

Thanks Gertjan. I do have a WAN Firewall rule that allows access from the WAN to my Minecraft server on port 25565 (default Minecraft port). as well as a NAT port forward. Should I not do that?

Gertjan · Sep 22, 2022, 3:19 PM

@frankzappa said in Firewall Rule for a single device:

Should I not do that?

You would do that if you want to make your minecraft server accessible 'on the Internet'.
You could limit that firewall (NAT actually) rule with source IPs, if you know them.
Or, even better : if you have players that need to connect to your server, have them using a VPN. pfSense has a VPN server just for that reason.

If you do not want to have your minecraft server accessed from the Internet, you can remove the rule.

FrankZappa · Sep 22, 2022, 3:24 PM

I dont mind it being accessed from the internet. It has a white list on the server i.e. if you're not on the whitelist, you cant connect to the server. Thanks for your help.

Gertjan · Sep 23, 2022, 6:10 AM

@frankzappa said in Firewall Rule for a single device:

if you're not on the whitelis

You could create an pfSense Alias with all these IP's, and make a pass rule with this alias.
The server would only handle IP that are allowed, not being bothered by any other IP.
So the server serves, the firewall firewalls.