Firewall rules not working as expected...
-
Hi, setup PFSENSE so I can isolate a quest network on my home network to prevent any quest connections from accessing anything on any other subnet.
PFS 2.5.2, FreeBSD 12.2
So hardware setup is:
CLOUD <--> CABLE MODEM <--> PFSENSE BOX
PFSENSE LAN INTERFACE <--> WIFI ROUTER <--> Internal home LAN devices
PFSENSE DMZ INTERFACE <--> GUEST NETWORK devicesI want to ISOLATE all guest devices from seeing or accessing anything on the LAN INTERFACE network, but needs to have full access to the internet.
FIREWALL RULES:
WAN = default, block private and bogon networks.
LAN = Anti-lockout rules, port 80 and 22
BLOCK LAN ANY protocol, Source - LAN net, Destination - DMZ net
Default allow LAN to any rule (ipv4)
Default allow LAN to any rule (ipv6)DMZ = BLOCK DMZ ANY protocol, Source - DMZ net, Destination - LAN net
PASS DMZ ANY protocol, Source - DMZ net, Destination - ANYWell, I get on a device on the DMZ net, and I try to ping a device on the LAN net. With stateful, rules should process in order, top to bottom.
My ping does fail, HOWEVER, the PFSENSE log shows me that the ICMP PASSED successfully from DMZ net to LAN net!!!
What the heck? So what really happened? Makes me not want to trust what's going on! How POSSIBLY could that log say it passed? PFS should have BLOCKED the ICMP attempt with a BLOCK log, not a PASS log, right?
Are my rules messed up or something? Does the PFS logging not work correctly?
If itโs the latter, how would I possibly TRUST PFS when it could possibly log a BLOCK when it really PASSED the packets???
Any input from a PFS pro would be appreciated.
Thanks,
MP
-
@mrpushner 2.5 is super old.
Guest is its own wiring? Gateway correct on all devices?
Rule example is in product manuals such as https://docs.netgate.com/pfsense/en/latest/solutions/netgate-4200/opt-lan.html.
-
@SteveITS Hi, yes, LAN net and DMZ are on separate physical ports on the PFS box, on separate cables. Each are given IP, Gateway, and DNS by DHCP and that all looks to be correct.
-
@mrpushner said in Firewall rules not working as expected...:
DMZ = BLOCK DMZ ANY protocol, Source - DMZ net, Destination - LAN net
PASS DMZ ANY protocol, Source - DMZ net, Destination - ANYDoes 'DMZ =' indicate the rules are on the DMZ interface, then the rule is correct. If the rule is on the LAN interface then move two rules to the DMZ rules.
My ping does fail, HOWEVER, the PFSENSE log shows me that the ICMP PASSED successfully from DMZ net to LAN net!!!
Can you show the log entry (without public IPs), it's hard to believe that the log would indicate success. Success in blocking, yes but not success in passing.
-
Hi, yes "DMZ =" means those are the rules on the DMZ interface.
Here is the log entry.
Source is DMZ interface with the device IP where I did the ping from as 192.168.1.101.
I tried to ping a device on the LAN net, with ip of 10.0.1.110.
If im not mistaken, that GREEN CHECK MARK is a pass!
Thanks,
MP
-
@mrpushner Can you show a pic of your rules?
Is the LAN subnet not a /24 then? All three log entries' destination are in LAN?
-
Hi, LAN net subnet is /24.
Here are rules:
LAN:
DMZ:
My LAN net interface has static IP of 10.0.0.1 but it has a WIFI router on it with Static IP of 10.0.0.2 and hands out IP's to devices in the 10.0.1.0, so that is why the ping destination has the IP of 10.0.1.110.
Could that 2nd router introduce that pass log somehow?
Thx,
MP
-
@mrpushner said in Firewall rules not working as expected...:
it has a WIFI router on it with Static IP of 10.0.0.2 and hands out IP's to devices in the 10.0.1.0
OK well devices in that subnet will not be pingable unless pfSense has a static route and the wireless router is configured to pass on the packets. And of course the device has to allow ICMP from outside its subnet.
@mrpushner said in Firewall rules not working as expected...:
Could that 2nd router introduce that pass log somehow
Yes and no. That router can't do anything to pfSense. However since pfSense has no idea where the 10.0.1.0/24 subnet is, it will see the packet as destined for "not LAN" and send the packet out the WAN interface...because packets for "not my networks" go to the configured gateway. So you are in fact allowing it by your rules.
If you are not trying to isolate your wireless devices from LAN (note: not isolated the other way around, currently), then what you may want is to plug your LAN network into a LAN port on the wireless router and leave the wireless router's WAN disconnected. In most cases consumer routers will just act as a bridge and put your wireless devices on your LAN network.
The first screen cap above shows an interface DMZBOTTOMPORT, did you rename it?
-
Hi Steve, thanks for the help here.
Ok so I see your point, with my config you are saying that the ICMP ping to 10.0.1.XXX (from DMZ net 192.168 /24) is unknown network to PFS, as it is only known by my wifi router, so it tries to send the packet out to the internet. My rules allow this to happen, hence the PASS log.
So you are saying that I am SAFE with that PASS log, and nothing can pass from my DMZ net to my LAN net with current rules.
I do not currently separate my WIFI devices from LAN PC's, but I suppose that I should do this for better security.
Not sure how to handle that however. I only have 2 physical ports on my PFS hardware (1 for LAN, 1 for DMZ), and not sure how to separate any Hardwired from WIFI devices on my LAN.
Would I do that on the LAN WIFI router (an older not great unit), or could I possibly do a vlan maybe in PFS to achieve the same goal?
Never done a VLAN, so not sure how that might work with my setup.
Thanks for your help,
MP
-
@mrpushner if you want to segment your network I would really suggest you get a vlan capable switch, and an AP that can do vlans as well.
Now you can put pretty anything on any network you want to create, and firewall appropriate for what you want to isolate from other things on your network.
An 8 port gig smart switch can be had for $40 or lower.. Depending on what your actually using as your wifi router, its possible it can run 3rd party firmware, open-wrt or dd-wrt that can allow it to do vlans..
You could still leverage dumb switches you might currently using - just plug it into one of the ports on your new smart switch and set it to be on whatever network/vlan you want all the devices on the dumb switch to be in.
-
@mrpushner to test pinging to LAN you need to ping a device on LAN.
