Netgate 2100 - setup question

netboy · Oct 30, 2022, 6:35 PM

@rcoleman-netgate I need help in firewall rules.

I want 192.16.0.XXX subnet to go to internet and talk to 172.16.0.XXX subnet but I want to BLOCK 172.16.0.xxx to 192 subnet - 172 can talk to internet (allow). This is my existing firewall rules.

IoTP4 is 172.16.0.XXX

rcoleman-netgate · Oct 30, 2022, 6:39 PM

@netboy So block on LAN interface anything with a SOURCE address of IOTP4 Network. Put that above your "allow all traffic" rule

netboy · Oct 30, 2022, 6:46 PM

@rcoleman-netgate on the LAN firewall (192) BLOCK IoT (172) and this must be the FIRST rule. Have I got it right? On drop down there are two options IOTP4 address and IOTP4 net - which one to select as source

Below correct?

rcoleman-netgate · Oct 30, 2022, 6:47 PM

@netboy That will only block HTTP and HTTPS but not Ping or DNS

Set the traffic to ANY type, not TCP.

And, as I said, IOT Network, not IOT Address :)

netboy · Oct 30, 2022, 6:48 PM

@rcoleman-netgate
Is this correct? The order ok?

rcoleman-netgate · Oct 30, 2022, 6:49 PM

@netboy Needs to be IOTP4 Network, not address.

netboy · Oct 30, 2022, 7:06 PM

@rcoleman-netgate got it

This ok?

rcoleman-netgate · Oct 30, 2022, 7:14 PM

@netboy Should be. Plug into the IOTP4 network and try to access anything on the LAN network (pf GUI on that IP, ping, etc.)

it should block, and when you come back the

0 / 0 B

in the states column should increment.

netboy · Oct 30, 2022, 7:23 PM

@rcoleman-netgate Did not work - please see screen shot below

rcoleman-netgate · Oct 30, 2022, 7:29 PM

@netboy

Automatically Select == use the network based on the IP you're pinging. Switch that to "IOTP4"

netboy · Oct 30, 2022, 7:32 PM

@rcoleman-netgate

Able to ping after pointing source address to IOTP4

stephenw10 · Oct 30, 2022, 7:43 PM

You should move that rule from the LAN interface to the IOTP4 interface.

Connections are opened from there and that's where they need to be blocked.

You probably also want the destination to be LANnet so that all hosts in the LAN subnet are blocked.
I would also choose to use a reject rule rather than block there so that clients on the IOTP4 subnet see the connection as refused imediately rather than having to timeout. It just makes failures easier to handle for devices mistakenly trying to access LAN.

You need to test it from a device on the IOTP4 subnet so that the traffic goes through the IOTP4 firewall rules.

Steve

netboy · Oct 30, 2022, 7:43 PM

This post is deleted!

netboy · Oct 30, 2022, 7:48 PM

@netboy OK

Removed BLOCK rule from LAN interface and included this

Shall I apply this and test?

stephenw10 · Oct 30, 2022, 7:49 PM

That will work. I would set the protocol to 'any' though to include ping etc.

netboy · Oct 30, 2022, 7:53 PM

@stephenw10
This is what my firewall rules are now

Did a ping test and works - does not block!

stephenw10 · Oct 30, 2022, 7:57 PM

Yeah, you have to test from a device in the IOP4 subnet. Pings generated from pfSense itself do not get filtered by those firewall rules. Only outbound rules would be applied and by default everything is allowed outbound.

Steve

netboy · Oct 30, 2022, 8:01 PM

@stephenw10

Looks like a SUCCESS!

Thank yo Stephenw10 and all others

netboy · Oct 30, 2022, 8:05 PM

@netboy Able to ping from 192 subnet to 172

I think I have to thank everybody in this forum. Netgate 2100 Max is a fantastic router though pricey.

I shall seek further help if need be.

Thank you everybody

netboy · Nov 2, 2022, 2:11 PM

@netboy I am documenting below "how I made my printers work over the network in windows 10"

My printers are in 172.16.0.XXX subnet and my computers are in 192.168.0.XXX subnet. 192.168.0.XXX can talk to (ALLOW) 172.16.0.XXX but not vice versa.

The first thing I did was connected my computer to 172 subnet and configure the printers.

I then connected my computers to 192 subnet and used the windows tool to configure TCP/IP printers and gave the "static" IP address of the printers and it worked.