Rules not blocking guest network from firewall or other VLANS

rve52001

I had these rules previous that was working but discovered yesterday I was about to access the firewall from the guest network. Here are are my rules below. Maybe someone can tell me what I'm doing wrong, just puzzled it worked previously anyhow Im using PFsense + release 25.07.1. Thanks

patient0

@rve52001 the '0/0' in 'States' indicates that the rules never match.

What ip range is GUESTLAN and what IP is the client which should no be able to access the LAN/LAN2/SECURITYLAN?

If you enable logging in the rules below, you'll see which rule is allowing the traffic.

rve52001

@patient0 The guest LAN is 192.168.30.0/24
LAN 1 192.168.1.0/24
LAN 2 192.168.20.0/24
SECURITY LAN 192.168.10.0/28

And the rules are not blocking access like it should. I can get on the guest network and access the firewall.

patient0

@rve52001 said in Rules not blocking guest network from firewall or other VLANS:

I cant get on the guest network and access the firewall.

You can't or you can? The rule block access to the firewall.

rve52001

@patient0 Im sorry, I can log in the Guestnetwork and log into the firewall and I want to block that. Which means anyone I give access to the guestnetwork can try to get into the router or other VLANs for that matter i think, since I can access the firewall.

patient0

@rve52001 said in Rules not blocking guest network from firewall or other VLANS:

I can log in the Guestnetwork and log into the firewall

If you are on the GUESTLan and the client you are connection with is on the GUESTLan then that is not possible, your first rule does prevent that.

Can you show the interface overview and the client configuration?

rve52001

@patient0 these are all the rules for the Guestnetwork

patient0

@rve52001 said in Rules not blocking guest network from firewall or other VLANS:

these are all the rules for the Guestnetwork

Is the client getting an IPv4 and IPv6 address? Do the block rules worth with either IPv4 or IPv6?

None of the blocking rules are matching ever and that is just not possible if the client is on the GUESTLan interface with an GUESTLAN IP, you have created the rules correctly.

rve52001

@patient0 That is why I am at a lost. Everything is configured correctly. Yes guest get both IPv6 ane IPv4. When I am on the guest network, I can ping the firewall on all VLANs. I even changed the rule to just IPv4 and pinged the IPv4 address to the router and it still doesn't block.

patient0

@rve52001 said in Rules not blocking guest network from firewall or other VLANS:

That is why I am at a lost. Everything is configured correctly.

Can you show the IP configuration of the client and a traceroute to a) the firewall IP (192.168.30.1) and some external IP?

patient0

@rve52001 I totally forgot: what floating rules do you have? Floating rules get applied before the interface rules.

SteveITS

@rve52001 for reference Netgate has examples such as https://docs.netgate.com/pfsense/en/latest/solutions/netgate-4200/opt-lan.html#isolated

Check through https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#new-rules-are-not-applied

Your second and third rules are redundant because the top rule already blocks to pfSense. If you meant to block to LAN then you need to use LAN Subnets etc. not LAN Address.

rve52001

@SteveITS
Thats part of the problem, the first rule is not blocking at all and cant figure out why.

SteveITS

@rve52001 Any errors in the filter reload per the troubleshooting?

Rules don’t apply because something doesn’t match: source/interface, port, destination.

johnpoz

@SteveITS said in Rules not blocking guest network from firewall or other VLANS:

because something doesn’t match: source/interface, port, destination.

Completely agree - but with the rule he is showing ipv4+6 any any to any firewall IP.. It would clearly match trying to open up the webgui of pfsense.

But clearly it shows it has never triggered with that 0/0 - so 2 things that come to mind is there is a state currently open that is allowing the traffic even with the block rule added. Other is there is a floating rule that is triggered to allow it before that rule would get evaluated.

edit: other thing would be he is not actually talking to pfsense via that specific interface, and the interface being used has different rules that allow the access.

So would like to see floating tab rules, take a look in the state table. Like to see clients IP address.. With that rule in place a client on the guestlan subnet should not even be able to ping the pfsense guestlan IP 192.168.30.1 let a lone access the gui.