Allow internet access but nothing else with several if

sventz · Jun 9, 2010, 8:18 PM

Hello, dear pfSense forum members,

i am testing a pfSense setup with one WAN interface and several VLAN interfaces (four at the moment, later like twenty or so). What firewall rule/rules should i use to allow traffic from every VLAN net to the Internet, but not from one local net to other local networks; or for other networks, only allow traffic to the Internet and only to a certain other network?

The „simplest-but-not-quite-working“ idea i had so far is to create an alias with all the local networks in it, and then create a pass rule for a VLAN interface with destination: not single host or alias: vlan alias. But that would also include the pfSense gateway for the local network. So i guess i need one alias of local networks for every network without the network itself, which could be quite a lot aliases, depending on the number of VLANs.

jigpe · Jun 9, 2010, 11:30 PM

Hi. Use firewall rule. Source: ip, Destination: Any, Port: Any

scoop · Jun 10, 2010, 12:17 PM

Hi,

I think I would do this:

Put all local networks in one alias
Create rules like this per VLAN:
- Pass traffic from particular VLAN to firewall VLAN IP (already selectable as source, no need to alias)
- Pass traffic not destined to Local networks alias
Is that what you would like to achieve?

sventz · Jun 10, 2010, 1:34 PM

Yes, thank you, that seems to work as intended. If, after all, some clients need access to another local network or a single host, the admin can just place a pass rule before the pass-to-all-but-not-to-alias rule.

jonnytabpni · Jun 11, 2010, 6:05 PM

@scoop:

Hi,

I think I would do this:

Put all local networks in one alias

Create rules like this per VLAN:

Pass traffic from particular VLAN to firewall VLAN IP (already selectable as source, no need to alias)

Pass traffic not destined to Local networks alias

Is that what you would like to achieve?

Hi scoop,

Can you please explain to me why you would allow traffic to the firewall VLAN ip, and not the entire internet (i.e. '*')? If it were me, I would (In order of it appearing in the GUI):

Block traffic to all local networks
Allow access to everywhere

I could have got this wrong, but surely if you just allow the vlan ip of pfsense, woudn't that just allow access to the web GUI from said VLAN?

Thanks

scoop · Jun 12, 2010, 7:37 AM

@jonnytabpni:

Can you please explain to me why you would allow traffic to the firewall VLAN ip, and not the entire internet (i.e. '*')? If it were me, I would (In order of it appearing in the GUI):

Block traffic to all local networks
Allow access to everywhere

It's not the first pass rule that allows access to the internet. The first pass rule just makes sure all VLANs can access the default gateway, that's all. This is redundant for the LAN interface (since that interface already has the anti-lockout rule that does the same). The second rule uses negation (not) on the "All local networks" alias to allow traffic to everything, except these local networks.

Your rules would not allow traffic to the default gateway itself, since its IP is also within the local networks range. I think it would be best to figure out what traffic is to be allowed exactly to the default gateway (i.e. ARP request?) and only allow that.

I hope this makes sense. :)

jonnytabpni · Jun 12, 2010, 11:47 AM

Hi scoop,

yes that makes sense.

Why do the interfaces need access to the pfsense gateway? I understand that they would use the pfsense ip as their "default gateway", but since traffic is destined for another host on the internet, is that rule needed.

I think this is the only place that I'm confused about

What is this "default anti-lockout" rule you speak of?

Thanks

sventz · Jun 14, 2010, 4:07 AM

@jonnytabpni:

[..]
What is this "default anti-lockout" rule you speak of?

Thanks

It's under System: Advanced: Miscellaneous: webGUI anti-lockout, and per default it's like a invisible firewall rule that always allows access to the LAN address of pfSense from the LAN network that is connected to it, so that one doesn't lock himself out of the WebGUI accidentally, or deliberately

On the not-allowing-traffic-to-local-network-with-VLAN-alias topic: a pass rule with a "not" destination to network 192.168.0.0/16 seems to work also. It just forbids traffic to the whole 192.168 private network block, so an up-do-date VLAN alias is no longer needed. My knowledge of IP routing/network stuff isn't enough, though, to predict if the subnet mask could lead to any problems.

scoop · Jun 14, 2010, 9:27 AM

It is also not required to allow traffic to the VLAN interface IP of the pfSense box, traffic to the internet will work without it. Of course ARP request are always allowed and fall outside the interface traffic rules. But access to the DNS forwarder to allow DNS queries and DHCP for example is another thing. I was only providing a rough example for what the topic starter requested. I guess I should have been more clear about that.