Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking ports and other lans

    Scheduled Pinned Locked Moved Firewalling
    10 Posts 3 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      devnull
      last edited by

      Hi,

      I've been trying to do two things but can't seem to get neither of them to work.

      The first is that I've got 5 internal networks (LAN, Office, Classrooms, WiFi, Tel).
      Now I've created aliases for ports that I want open from inside to out for each network and in-staid of the default pass rule I created a general block rule and another pass rule that contains the alias of ports that I want opened on this lan.
      But it either blocks everything or it blocks nothing.
      I don't know do I have to set up something with NAT (I'm using manual outbound rule generation because of SIP phones used) or can I just stop traffic withe rules?
      Or what am I supposed to do to only allow a list of ports outbound from an internal network.

      The second is that I would like to block the internal networks from seeing each other.
      I've tried making a rule that blocks traffic from class subnet to lan subnet and the same to other networks.
      But as I said it doesn't work.
      So how would I go about blocking traffic from one network to another but still be able to pass trough a few IPs on the LAN network?

      Thanks for any advice I really thought that these rules would work for my but I don't know where I went wrong.

      Bye

      1 Reply Last reply Reply Quote 0
      • E
        Efonnes
        last edited by

        Are you assigning the firewall rules to the correct interfaces?  The firewall rule should be on the the network for the source address you use.  For example, your rule that blocks traffic from class subnet to lan subnet should be on the Classrooms network.  Also be sure you are putting it at the top of the list.

        By the way, NAT rules do not bypass the firewall, so that should not be the issue. (an exception to this is if you are using a 2.0 beta build and have a port forward that is set to "pass")

        1 Reply Last reply Reply Quote 0
        • D
          devnull
          last edited by

          Hi,

          thanks for the tip. Guess I only made a mistake of putting the block rule after the allow rule.
          So block should always be before allow right?

          Now here's a follow up question.  :)

          Now that I've blocked the wanted networks, how do I allow only specific IP addresses to be accessed on the previously blocked networks (File server, web server, etc).
          My thought was to make an alias something like allowed_ips and then make a rule like allow from one of the networks to destination the alias I made. But it doesn't seem to work either.
          Did I screw up the rule order or just the rule in general?  ;D

          Thanks for the help and patinas, it's my first time setting up a complex network like this so I'm hitting a lot of walls before I get it the way it should be.

          By the way how would I go around blocking outbound ports on these networks? I've already created aliases for ports on each specific network but again if I put in a rule for passing these ports…. it all gets blocked....  :-\

          Bye

          1 Reply Last reply Reply Quote 0
          • D
            devnull
            last edited by

            Hi,

            well it seems that I got the port blocks in place all I had to do is disable the default pass rule and it's working.

            But I still don't know how to allow only some access from one lan to another.

            Thanks for the help.

            1 Reply Last reply Reply Quote 0
            • D
              danswartz
              last edited by

              that's really too vague, sorry :(  please post the rules you are trying to use and we can check them.

              1 Reply Last reply Reply Quote 0
              • D
                devnull
                last edited by

                Hi,

                sorry, it was a little vague.

                Here are my rules for let's say office lan:
                            Proto      Source        Port      Destination                Port  Gateway  Schedule  Description
                BLOCK    *        Office net  *  blocked_office_networks  *          *                              BLOCK Office -> Not allowed networks
                                                                        (192.168.0.0/24,192.168.3.0/24, etc)
                PASS    TCP/UDP  Office net  *                *    allowed_office_ports  *                          Allowed ports for Office 
                                                                                                          (21,25,53,80,110,443)
                PASS        *          Office net  *    allowed_addresses            *            *                              Office -> Allowed hosts  (this doesn't work)
                                                                        (192.168.0.10, 192.168.0.20, 192.168.0.21)

                No Office(192.168.2.0/24) network can't access the LAN(192.168.0.0/24) witch is right. But I would still like any host on Office to access let's say some IPs on LAN(192.168.0.10, 192.168.0.20, 192.168.0.21).
                I would like to get this working so I don't have to setup a file server on each lan with content that may be accessible to all.

                Thanks

                1 Reply Last reply Reply Quote 0
                • E
                  Efonnes
                  last edited by

                  The pass rule that you want to override the block should go above the block rule.  The rules are checked in top-down order, with the first matching rule being the one it uses.

                  1 Reply Last reply Reply Quote 0
                  • D
                    devnull
                    last edited by

                    Hi,

                    thanks for the tip Efonne. I didn't realize the order is that important.
                    So the rules are checked in from the top down to the bottom and block rules always overrule pass. So if I had fist a pass and then a block for the same thing the block rule would take precedence. I think I get it now.

                    Thanks again.

                    Bye

                    1 Reply Last reply Reply Quote 0
                    • E
                      Efonnes
                      last edited by

                      Regardless of whether it is block or pass, the first rule that matches the traffic is the one that will take effect.  It does not go looking further down the list when it has already found a matching rule for the traffic.

                      As far as I know, every list of any kind of firewall, forwarding, or NAT rule is like this in pfSense.  However, I'm not at this moment going to go into explaining the extra details about schedules on firewall rules, because it gets a bit more confusing there. (unless you want me to)

                      1 Reply Last reply Reply Quote 0
                      • D
                        devnull
                        last edited by

                        Thanks again Efonne.

                        I've now got everything working the way I planed it.

                        I don't think a have a use for scheduling yet, but I see how it could come in handy.

                        Thanks for the help again and bye

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.