Firewall Rule for IoT Blocking Not Working
-
Hi all,
I have an IoT network I would like to lock down as standard so these devices can access internet, but not my other VLANS. The rule is not working as expected.
I have created an Alias called Personal_Networks listing a few networks I want the devices to avoid (10.100.40.0/24 is the main one, I'll call it the Secured Network here)
I have created a rule in the Interface of the IoT network (192.168.0.0/24) to block the devices from accessing the Secure network. I have also inverted the match on the destination. Rule is:
Protocol IPv4*, Source IoT net, Port *, Destination ! Personal_Networks, Port * Gateway *I have moved the rule up to the top of the list and saved/applied. There are two other rules on the list, the second being another Alias for a certain list of devices to bypass a VPN and travel directly out of WAN, and the third being the rest of the traffic to use the VPN, these last two work fine. I have also tried changing the order of the rules to no success.
The behaviour I am seeing, is that from a device on the IoT network I can't ping a device on the Secured Network (Perfect), but I CAN ping the gateway 10.100.40.0 (bad).
From a device on the Secured network, I can't ping the device on the IoT network (should be able to) but I CAN ping, once again, the gateway of 192.168.0.1
I should be able to initiate a connection from anywhere on the Secured network to anywhere on the IoT network and have it land. Coming from the IoT network I should NOT be able to ping anything on the Secured network.
Can anyone think of any reason why this basic rule is not working?
Thanks in advance! -
@nicp91-0 states come to mind, if there is a state that allows the traffic what rules you put in place do not matter because states are evaluated before rules.
Please post a picture of your rules
I can't ping the device on the IoT network (should be able to) but I CAN ping, once again, the gateway of 192.168.0.1
Maybe your device on the iot network has a firewall? this is a common reason why you can not ping or create connection to something on another vlan, even though the source of the traffic firewall rules allow it.
-
Please see attached IOT Network rules. I did not think of states! Since the below screen, I have deleted all states as it is late here and the network isn't seeing much use. This did not fix the issue.
The devices I am currently testing with are a Google TV with a static IP set to bypass (see rule 2), an iPhone with a ping app linked to IOT but not bypassed, and a command prompt from both a Macbook on the Secured Network (has identical rules 2&3) and inbuilt pfSense GUI ping. I am fairly certain these kinds of devices wouldn't lock up FW rules?
-
@nicp91-0
for the record: i haven't read the entire post. but this seems like a clear case of wrong order of rules.
i'm surprised the rules below the top one get that many states. did you disable / move the rules before making that screenshot?suggestion:
- avoid NOT(!) rules when possible. you probably shoot yourself in the foot with that one
---- change it to a reject rules towards the personal_private_networks alias
- avoid NOT(!) rules when possible. you probably shoot yourself in the foot with that one
-
@heper you may be on the right track there with the ! rule, I have had the rules in different orders at different times to try and troubleshoot things, but changing the order has not made the difference. The ! rule came from following a step-by-step guide which documented that method as a working solution.
Thanks for your suggestion, I'll take a look soon and see what that change makes.
-
the top rule in 'IOT Rules.png' causes any connection from <iot wifi net> that is NOT destined for <private networks> to go out through your default gateway.
The rules below will not get triggered to push them out through <vpn> or <ppoe> - unless the destination is <private networks> <=== this does not make sense
-
@heper Very true! I think this step-by-step was meant for a bare-bones setup with no other gateways in place. But, it worked as a "Pass ! NOT <Private Networks>" in the tutorial, hence me wondering why it wasn't working for me.
I updated to a reject rule, removed the invert and kept the rule at #1. It is now working and IOT network on the iPhone cannot ping the Secured Network.
Naturally, the Secured Network could not initially ping the IOT network, so I implemented a Pass rule at #1 allowing traffic to flow from Secured to IOT, and now can successfully ping in that direction. A benefit to the ! rule seemed to be no need to make pass rules on other VLANS.
But anyway, problem solved. Thanks to you and @johnpoz for your help! Greatly appreciated.