Netgate Hardware MVNETA1 LAN Firewall Rules
-
@rennit Your Netgate device has a switch.
Netgate 1100: https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/configuring-the-switch-ports.html
Netgate 2100: https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/switch-overview.html
Negate 3100: https://docs.netgate.com/pfsense/en/latest/solutions/sg-3100/configuring-the-switch-ports.html
You tie the VLANs to the mvneta0 and then use the switch config to assign them to ports (tagged or untagged).
Pay attention to the port that is listed as the IC interface as it must be tagged on all VLANs for it to be usable in pfSense.
-
@rcoleman-netgate yes, thank you!
It seems for a WAN parent interface it would be mvneta0, but for LAN the parent interface would mvneta1 etc.. I assume what you were explaining is that it is not possible to create additional parent interfaces. Understood. Many tutorials speak of not using LAN for a parent interface, though as mentioned, many tutorials often refer to VMs rather than Netgate hardware. Appreciate the clarification.
Would you mind helping with the answers to b, c and e please. I'll copy them below for ease:
c. When LAN is dormant and only VLANs are used, is LAN essentially just another OPT interface?
d. Can the LAN IP address be deleted if not being used, even though it is the parent interface for all VLANs, would this be best security practice in the circumstance where LAN is not used? (Similar to implementing advice of not using LAN as parent interface, if there is a need for that.) Any conflicts with pfSense by doing this?
e. If LAN must remain and ties all together as parent interface, would it make sense to create firewall rules to block LAN from and to RFC 1918 or is it separated like a logical interface? Or is that just not needed?
Thank you for your time!
-
@rennit said in Netgate Hardware MVNETA1 LAN Firewall Rules:
c. When LAN is dormant and only VLANs are used, is LAN essentially just another OPT interface?
C: An interface is an interface. You can change the names to suit your needs - they don't hold any special action except the default LAN interface passes all traffic by default. You can disable that -- but if you do you can also lock yourself out.
D: You can do whatever you want in this regard.
E: See D and C.
-
@rcoleman-netgate Perfect, thank you!
So the LAN interface is one like any other, with the exception of, it passes all traffic. If I am using a separate VLAN as a management interface and do not rely upon default LAN for access, would disabling default LAN still effect other interfaces, such as a separate management interface/VLAN and possibly cause a lockout?
Note: Trying to understand the relationship that default LAN has with all VLANs/logical interfaces that have default LAN as a parent interface in pfSense (based upon mvneta1 physical) and that I now know it passes all traffic. Then apply that knowledge to firewall rules and segmentation. Appreciate your patience.
-
@rennit What model router do you have?
On something with a switch (or without) I am not sure I'd mess with disabling LAN. Can you simply not plug anything into any of the LAN ports? Not sure what creating a VLAN/separate interface and trying to disable LAN gets you, over just using LAN.
If you don't want LAN to allow all traffic you can edit the rules. It's just useful during setup because it allows a PC to connect to pfSense web GUI, get DNS, etc.
-
@steveits said in Netgate Hardware MVNETA1 LAN Firewall Rules:
Can you simply not plug anything into any of the LAN ports?
They're all LAN ports ;-)
OP could change the VLAN PVID on the ports to something not 4090/91/92 (depending on the model) and be done with it, too. Leave port 4 for the native LAN interface. -
@rcoleman-netgate said in Netgate Hardware MVNETA1 LAN Firewall Rules:
They're all LAN ports ;-)
Well yes :) but I am unclear of the goal.
-
@SteveITS Agreed, I am not sure what it gets you either. Not suggesting it or currently doing it, but after reading multiple tutorials and blog articles like the following, it peaked my curiosity enough, to ask for expert advice from those who know the hardware best. Some clarify "unassigned" as not assigning an IP address to the LAN interface others do not. (I realize sounds similar to hopping, not referencing VLANs, just default LAN in pfSense.)
Note: I do not think this is a misnomer with VLAN ID 1. Multiple sources have said similar as well, referring to 'parent interface' when creating VLANs. VMs clearly...
That statement and those like it have caused me to wonder if there is any possibility of data leak to a parent interface from the associated VLAN(s), solely because pfSense default LAN is the parent interface as an exception to standard practices.To your Q: I am considering these questions as general, but the current two on this project are 4100 & 1537. If that changes anything or if they each function differently in this respect, would truly appreciate the heads-up.
The goal with the questions is applied knowledge. Working through a set of unusual requirements and in-order to make multiple informed disparate decisions, need clarity on the information, and if pfSense has any unique features involved with the Default LAN and integrated switches; that people who use a variety of hardware aren't aware of, is all.
I truly appreciate the answers and you taking the time! Thank you!
Understood. Makes sense.
Thank you very much also for taking the time to respond. Much appreciated!
Lastly, if either of you have any security tips/warnings that specifically concern default LAN as a parent interface for for VLANs, that would make it different or would make you need to deviate from standard practices, as opposed to any other interface/VLAN combo, would definitely appreciate those thoughts.
Thank you both again!
-
@rennit The parent interface is the physical port where the VLAN is attached/located/on. The interface itself can do that as it sees the packets (Suricata/Snort monitor VLANs in the mode they're in). That doesn't really affect other devices though since the packets don't go to other devices. Generally the switch is used to keep the VLANs to certain ports, to allow or block packets.
So I think the idea with those sorts of instructions is to have LAN be LAN, and OPT1 only used for VLAN(s) so no one can plug something in and get to the OPT1 interface?
-
@SteveITS Thank you very much again for the clarification. Makes sense. Summarily - so the associated risk if any, that those sorts of instructions likely refer to, is specific to direct physical access to the port only, and not some type of other unusual possible data commingling specific to default LAN, as parent interface on a Netgate device, am I interpreting that correctly?
-
@rennit I guess? With VLANs AFAIK there are two ways to get the VLAN assigned. Either something assigns it (AP, switch) or the device's network config has a VLAN. With the latter, someone with knowledge can change, add, or remove the VLAN tag. If the switch allows the new-VLAN packet on that port then it gets passed on. Normally that's blocked by a managed switch, but generally unmanaged gigabit switches will pass packets without regard for VLAN.
Otherwise something would need to be removing the tag from the packets, in order to cross over to another VLAN.