Newbie LAN-YEL-ORA independent NIC subnets w/WAN access don't work
-
After a year of considering, I have taken the plunge and ditched my Linux firewall. So far I am delighted in general, even though I cannot seem to get it to do the simple thing that I want. I have read the book and read alot of posts but apparently just don't get it.
Did default install. Two "OPT" interfaces that I call YELLOW and ORANGE.
YELLOW is intended for non-evil machines I have low confidence in (Windows with patches and Anti* installed). Eventually I will give YELLOW ssh certificate access to LAN for SFTP access, but that is later.
ORANGE is for completely un-trusted machines (XBOX360). How to get an XBOX going is a future challenge (I am aware there are posts, but have become aware that I have bigger problems right now).
As my first step, I want YELLOW and ORANGE to be able to access the WAN (Internet) just like LAN, but not access anything else (e.g. LAN or the other of YELLOW or ORANGE).
I set up DHCP server serving up an independent subnet for each of LAN, YELLOW, and ORANGE. It seems to work fine.
I made the following rules in ORANGE and a similar set in YELLOW:
Pass * Orange net * WAN address * * -
Reject * * * * * *I put a Windows PC on it (It was handy).
Pings to numeric IPs show up in the log as being blocked (ICMP) on the ORANGE interface. Pings to named servers show up in the log as being blocked UDP to the ORANGE subnet 192.168.243.1:53gateway address, port 53 (Which I assume is DNS Port). The LAN gateway is 192.168.240.1. The LAN works well, I am typing on it. The XBOX360 user is getting restless.
Why are WAN pings blocked from going out? (4.2.2.2) Should not my first rule see them safely to the WAN port?
Does the ORANGE NIC receive the packet and filter it from getting to the ORANGE gateway? Obviously pfsense cannot block traffic out on the wired / switched broadcast domain, so I assumed that the gateway itself would be treated similarly, since it is logically on the same switched network segment. Is this untrue?
Do I have to add a rule:
Pass * ORANGE net * Orange net * * - ??
Also, I do not understand the difference between ORANGE subnet and ORANGE address
I would like to understand, not just be up, but a final question for now is… what rule set should I put into place to get YELLOW and ORANGE up as independent "LAN" look-a-likes that cannot interact with each other?
Thank you for helping as I grope in the dark!
--Ray
-
WAN address is just that, the WAN IP address. You aren't allowing anything to the Internet. You need to block what you don't want, then allow to any.
-
Thank you, that is what I was missing. What "XXX Address" meant. It means "XXX NIC Address"
I was trying to do an "Allow what you want, block the rest" as I understood it to be the preferred mode of operation. I would allow to the WAN, and block to the rest of my internal configuration however it changed. Less error prone (for me).
With a block what don't want then allow any, I would have to explicitly block everything to the rest of my network. Which I can do.
At the same time, could I do an allow to a network that is NOT 192.168.0.0/16, thereby accomplishing a block-all / allow what you want method?
–-
Second question: Regarding my DNS requests to the orange gateway ('243.1:53) being rejected, that is logically on the same physical network as the PC, isn't it? Yet it was blocked. Can you help me to understand why / why this makes sense? Why should it be any different than say another PC going through a switch hanging off the orange? -
-
"Yellow Address" refers to the IP address of the Yellow NIC. I was thinking that it meant something similar to "Yellow Subnet".
-
For OPT I/F, you must create a rule to allow a machine on the yellow subnet to reach the yellow subnet NIC (with the DNS server). This one seems crazy to me, but this is the way it is. It seems crazy since if the DNS server were out on a switched segment, anyone could reach it with the same address.
-
I am using an external DNS service, and desire to block any attempts by local machines to use other DNS servers.
-
I made an alias AllPrivateIP with the Private and Auto IP addresses so that I could refer to their inverse as meaning the internet in various cases. I seem to have private addresses pounding on me from my WAN trying to bootp.
-
I have an XBOX360 on ORANGE which I have working at the "OPEN" level (highest) without uPNP
-
Don't let any sloppy names that slip through confuse you with respect to LAN, ORANGE, YELLOW, XBOX360. If it looks like something, it is.
-
I plan on moving to a "block all except those allowed" for LAN, YELLOW, and ORANGE.
-
Reject UDP LAN-Net * !Lan-Addr 53(DNS) * Comment: Reject DNS to other than LAN Gateway
-
Pass Any LAN-Net * * * * Comment: Allow LAN to access anything
-
Reject * * * * * * * Comment: Reject at bottom so LAN never gets blocked causing delay
-
Pass UDP !AllPrivateIP * XBOX360 88 * Comment: Allow XBOX port forward
-
Pass TCP/IP !AllPrivateIP * XBOX360 3074 *Comment: Allow XBOX port forward
-
Block * * * * * * * Comment: Block at bottom so no response.
YELLOW
-
Pass UDP YEL-NET * YEL-Addr 53(DNS) *Comment: Allow access to local DNS
-
Reject UDP YEL-NET * !YEL-Addr 53(DNS) *Comment: Reject access to other (external) DNS
-
Pass * YEL-NET * !AllPrivateIP * *Comment: Allow unlimited access to WAN
-
Reject * * * * * * Comment: Reject at bottom so no delay
ORANGE
-
Pass UDP ORA-NET * ORA-Addr 53(DNS) *Comment: Allow access to local DNS
-
Reject UDP ORA-NET * !ORA-Addr 53(DNS) *Comment: Reject access to other (external) DNS
-
Pass * ORA-NET * !AllPrivateIP * *Comment: Allow unlimited access to WAN
-
Reject * * * * * * Comment: Reject at bottom so no delay
Firewall / NAT / Port Forward
-
WAN UDP 88 XBOX360 88
-
WAN TCP/UDP 3074 XBOX360 3074
Firewall / NAT / Outbound
-
Manual
-
WAN LAN-NET * * * * * No
-
WAN YEL-NET * * * * * No
-
WAN ORA-NET * * * * * Yes
-
-