Smoothwall refugee ...
-
Okay more like an evacuee and I'm not sure if this is the correct spot or channel to post this plea.
Is this feasible? Does it make sense? Is there a better way to do this?
I had a Smoothwall running on an old Dell Inspiron 530S Core Dual Pentium and after four plus years of zero activity, and having been exposed to PFSense by purchasing one to setup for my brother at his residence, I decided that was the way to go .. and if we're doing this I might as well get some new hardware to upgrade my own home lab.
So, this is my purposed layout. Its up and running WAN -> LAN but I can't seem to get the right incantations vocalized to make the VLANs materialize and function as they do in my head. Direction, assistance, thoughts, ideas ... all welcome.
Comcast to a MB8600 DocSIS 3.1
CWWK N305 16gb gskill, WD Blue 500gb NVMe, (4) i226-V
PFSense Community Ed. v2.7.2 on FreeBSD v14.0eth0 WAN <- MB8600 (Comcast)
eth1 LAN -> TEG-3102WS Port 8 +2 SFP10g managed sw.
eth2 AP VLAN -> UniFi AP LR
eth3 Z3 VLAN -> Meraki Z3 (company managed VPN Endpoint)eth1 LAN is functional with a IP subnet of x.x.20.x
I'd like eth2 which is conntected to Ubiquiti UniFi AP LR (yea.. legacy device but still works)
Access to WAN (internet) and WiFi connected devices to get x.x.21.x addresses.I'd like eth3 (Z3 VLAN) to get out to the internet (WAN) via IP subnet 10.1.10.x Its input is set to DHPC.
Rules I played with and didn't get working (for eth2)
States Protocol Source Port Destination Port Gateway Queue Description Actions
0/0 B IPv4 * * * * * none AP any any(for eth3)
0/0 B IPv4+6* Z3VLAN address * WAN address * * none Meraki Z3 to Interwebs
0/0 B IPv4+6* * * LAN address * * none Block Z3 traffic to LANMy new switch is a TRENDnet TEG-3102WS
ports 1-6 are currently to various wired PCs on LAN. -
@Tacyon The formatting of those rules makes it hard to distinguish, better to post screenshots with the header to show which interface they're on.
Rules are evaluated when entering an interface from the directly connected network on that interface.
So if you want traffic to go from lan2 (I'll use physical interfaces as example but vlans work the same) to lan1, the rule goes on the lan2 interface and source would be lan2 subnet (or specific device(s) on lan2) with lan1 as destination.You're rule on eth3 has WAN Address as destination. That alias is literally just the wan address, nothing else. Same as LAN address.
For LAN you can use LAN Subnets for the Alias. For WAN it's a bit tougher since you can never really know all the IP's on the internet. A more common approach is to create an alias with all rfc1918 addresses, then block that to deny access to other vlans.
Hope that gets you going. -
@Tacyon
I think it'd help to explain what NAT mapping you are expecting to happen. Do you have more than one external WAN address? Also I'm quite confused about what's supposed to happen with the Z3 VPN endpoint. Why are you placing that on a different internal address range --- don't you need to be able to get at it from at least one of your LAN devices? -
@Tacyon For blocking an interface from accessing other local networks, Netgate has examples in some product manuals, such as https://docs.netgate.com/pfsense/en/latest/solutions/netgate-4200/opt-lan.html#firewall-rules.
-
@Jarhead re: screen shots .. unfortunately .. playing around with other packages I did something wrong that resulted in the N305's monitor displaying an endless scroll of something needing to be off loaded ... after some tinkering and finally giving up, since this is all new to me and I can benefit from the practice ... I blew it all away with a reinstall .. so now I'm back to the beginning .. only I haven't attempted the ETH2 & 3 setups again/yet.
@tgl - I'm a bit of a paranoid tech ... I'd rather error on the side of "the door is locked" or at the very least, difficult for 95% of the tourists to get in.
For ETH2 thats going to be connected to my UniFi AP .. I'd like it on a different subnet from my ETH1 LAN interface ... and eventually I'll want to provide a "pinhole" (?) thru it to my media server's static IP on my ETH1 LAN so my wireless devices can see my media server plus get out to the internet .... but all other traffic from ETH2 to ETH1 gets blocked.@SteveITS thank you ... I'll look over the linkage you provided and see what I can learn.
For ETH3 that is connected to the Meraki Z3. .. its a company VPN endpoint that WiFi's to my company laptop. I have no control nor access into it. I know that its input is DHPC as it gets whatever pool I give it access to.
What I want to assure myself is that it's not able to traverse any of "my LAN" from its interface ..To use random IPs to illustrate what I was thing for subnets ....
ETH0 - WAN - Comcast gets an IP from my DHCP from my side ... obviously not its public IP.
ETH1 - LAN - 172.26.20.1/24 and a DHCP pool from 172.26.20.100-172.26.20.199 for all DHCP'd devices on my LAN
ETH2 - UniFi AP LR - when it connects to PFSense for its interfacew, I'd like ETH2 to present it with 172.26.21.1/24 and while it (the AP) can do DHCP, I'm guessing I might as well do DHCP from PFSense's DHCP server. My thinking is that the 172.26.21.1/24 is isolated from 172.26.20.1/24 and can get out to the internet... Later I'd have to open a port or ?? to my media server.
ETH3 - Meraki Z3 - when it looks to PFSense for its DHCP ... I'd like the ETH3 to present it with 10.1.10.1/24 leases that can ONLY go out to the internet. There is zero need for it to have access to anything else but that. DENIED !Does that make a bit more sense ?
-
@SteveITS said in Smoothwall refugee ...:
@Tacyon For blocking an interface from accessing other local networks, Netgate has examples in some product manuals, such as https://docs.netgate.com/pfsense/en/latest/solutions/netgate-4200/opt-lan.html#firewall-rules.
I'm probably confused ... but isn't that recipe missing any allowance for DHCP service from the router?
-
@SteveITS - opened page in the docs and got all excited as its description was exactly (I think) what I wanted. .. except .. where the directions tell me to go and do .. don't exist.
so I've got the ETH2 and ETH3 cfg'd
In my previous attempt (before I re-installed) I have seen ETH2 & 3 listed here but only while I had been playing with VLAN being assigned to them.
waited ... cycled the DHCP service, haven't rebooted yet.@tgl not sure what you're asking me .. (so I'm confused now :) ) Am I to take then that simply having different subnets being cfg'd on each interface is isolation enough? Like I'm reading in the "opt-lan.html#firewall-rules." page?
-
@tgl pfSense adds a hidden rule for DHCP Server to function.
@Tacyon re missing interface, try using ISC, Kea is in preview/alpha.
simply having different subnets being cfg'd on each interface is isolation enough?
Firewall rules control access. If you put an Allow to any rule on a new interface and no blocks above it , it can get anywhere including LAN.
-
@SteveITS said in Smoothwall refugee ...:
re missing interface, try using ISC, Kea is in preview/alpha.
I wondered that ... but had read this while setting up PFSence "ISC DHCP has reached end-of-life and will be removed from a future version of pfSense. Kea DHCP is the newer, modern DHCP distribution from ISC that includes the most-requested features."
I set the main DHCP backend system to ISC ... still no go.
-
@Tacyon
You have to state static IPs to the interfaces if you want to run a DHCP on it.(for eth3)
0/0 B IPv4+6* Z3VLAN address * WAN address * * none Meraki Z3 to Interwebs"Z3VLAN address" is only the interface address of pfSense. So this might not be, what you want. You rather want to select "Z3VLAN net" here.
The same is applied to "WAN address". There is no real benefit in allowing access to the WAN address. You might want to allow any destination in the internet, so you have to state any here.For blocking access to any other local subnet, best practice is to add a block rule for RFC 1918 networks above of the allow rule as mentioned in the docs link stated by @SteveITS.
However, note that this also blocks access to the interface IP of pfSense itself. So to allow access to services on pfSense, e.g. DNS, you have to add an additional rule on the very first position for it. -
Thanks for that "have to state static IPs to the interfaces if you want to run a DHCP on it." that put the two interfaces in the Service-DHCP Server.
I hooked up the Z3 to the ETH3 - gave it a any any rule to start with and after a reboot of the Z3 - it gave my work laptop access to the web and our corp shares. However, our Meraki management portal had it listed as "not connected". Seems as if there are some (maybe) IMCP ports or IPs that have to be allowed out? And then I need to craft a "deny" for the ETH3 to lock it down to just Internet and Meraki Cloud portal... and maybe this is unnecessary according to this.
From my poking around in our Meraki portal I can see that its complaining about my Z3 having not checked in, but its operational from my side. Not sure if it'll get disabled after an amount of not "phoning home". It appears that the Z3 got is 10.1.10.1 IP on its input .. but .. my work laptop's IP was still in my LAN subnet vs the subnet I'd specified for the Z3 ETH3 interface ... assuming that it where it should be getting it from.
I've decided that for the UniFi AP LR (Ubiquity AP) connected to ETH2 .. it'd be too much hassle pass internet my media server ... and two WiFI connected printers ... than just give it any any access. Unless someone can tell me this is dangerous.
-
The absence of an interface on the DHCP server page, like this :
can often be explained by what is not shown here :
A very important part isn't show : go to the right op the IP address :
By default, for "some reason" the network is set up as /32.
That means that the network contains just 1 IP : the static IP of the pfSense NIC. There is no place for a DHCP pool : the DHCP server settings page doesn't bother to show it on the available interfaces ...
Solution : make it a /24. Save. Apply. And now it shows up. -
Ah, Smoothwall memories. My AMD K-6 233 with 8MB RAM, 3x 10Mb ISA NICs (that did BNC, Ethernet, and whatever the pin interface was), single-floppy system and dial-up on demand.