Restricting subnets from communicating

McMurphy

I have a LAN with three networks

• 10.40.1.0/24
• 10.54.0.0/28
• 10.54.0.16/28

I want to have pfSense configured so that the 2nd and 3rd networks can access the first network without the 2nd and 3rd networks being able to access each other.

patient0

@McMurphy are your three network on different interfaces/VLANs? Can you share the firewall rules you have right now?

Generally you set the restrictions on the interfaces the traffic comes from. Example:

• they are on separate interfaces/VLANs
• LAN2 & LAN3 are allowed to access the internet

LAN1 : 10.40.1.0/24
LAN2: 10.54.0.0/28
LAN3: 10.54.0.16/28

• in the firewall tab for LAN2:
  • from source LAN2 to destination 'not LAN3' -> allow
• in the firewall tab for LAN3:
  • from source LAN3 to destination 'not LAN2' -> allow

To simplify it you can create a network alias that includes both LAN2 and LAN3 networks and use that for both rules. That will work since LAN2 traffic with destination LAN2 will not hit pfSense.

McMurphy

@patient0

All three are on the same interface. No VLANs (long story).

I thought that the two /28 networks would be unable to communicate with each other directly without the router.

Single "LAN" interface in pfSense for all three networks.

patient0

@McMurphy said in Restricting subnets from communicating:

I thought that the two /28 networks would be unable to communicate with each other directly without the router.

Edit: we're talking 10.40.1.0/24, 10.54.0.0/28 and 10.54.0.16/28. What have you set on the LAN as IP address and subnet, 10.0.0.0/8?

From the first edit:

That is correct, yes. They will go via the router to try to reach each other. And you can block that on the router.

Something along: source LAN, destination 'not LAN' -> allow. But

But it can be changed on the device, if the user knows how to changed the subnet mask.

How do you assign IP, gateway and DNS to theses devices?

McMurphy

@patient0

The devices are servers. One db server and one RDS server. I thought about the risks of users changing netmask. As long as the user does not have admin access then it should be secure.

I had originally planned on using VLANs however hypervisor complications vitoed that idea. Even with VLANs, if the user had admin access they could also change the NICs VLAN tag to access other networks.

Bottom line is restrict admin access.

McMurphy

@patient0

On pfsense the LAN is 10.40.1.254/24 and I have added a virtual IP for each subnet
10.54.0.1/28 & 10.54.0.17/28

patient0

@McMurphy if it works for you, then that's ok. What gateway do the servers get?

You then have to create rules for your LAN interface, using alias. Something like below should work:

source = alias '10.54.0.0/28, 10.54.0.16/28', destination = not alias '10.54.0.0/28, 10.54.0.16/28' -> allow

That would all access to everything, including the rest of the LAN and internet, except the networks in the alias. I think that should do it.

Regarding VLAN, I don't agree. If you set the VLAN on the server/client, yes. But usually you set it on the switch (VLAN access port) and the client can't get access to anything else then the VLAN it is supposed to do.

McMurphy

@patient0

As there will be 100s of VLANs with only 3 servers in each VLAN I thought it would be easier to tag the servers rather than create all the VLANs on the hypervisor, not sure what the upper limit would be.

I use the 1st IP in each subnet as the GW IP and assign this to pfSense as a virtual IP so:
10.54.0.1
10.54.0.17

It all works but I would have preferred VLANs however due to the number involved I think it will be impractical.

patient0

@McMurphy said in Restricting subnets from communicating:

As there will be 100s of VLANs with only 3 servers in each VLAN I thought it would be easier to tag the servers rather than create all the VLANs on the hypervisor, not sure what the upper limit would be.

VLANs can be in the range of 1 to 4094 and that's what the switches support usually.
Setting 100s of IP aliases/subnets will also take a lot of time to set up, depending on the hypervisor the VLANs and VLAN-on-port can be scripted. And with that amount of VLANs and server, you do want to script it.

It all works but I would have preferred VLANs however due to the number involved I think it will be impractical.

If subnetting fits your security profile, why not.

McMurphy

@patient0

Subnetting works but you've correctly pointed out the security risk. I'll re-evaluate the vlan option