Nested firewalls for "defense in depth"



  • I have a network I'm trying to setup with two firewalls.  I would like to restrict the 192 network from leaving out the WAN of the 1st firewall (that is block Internet access).  Currently the 192 can get to the Internet, employee, server and guest network.  I assume there is a firewall rule that I can use to accomplish this?  I have tried a few different things on the WAN and Server interfaces of the 1st firewall.

    (by the way when i say first firewall, I mean the one that is facing the Internet)

    Thanks



  • This should be easy.  The 192.168.x.x. traffic will be NAT'ed to 10.10.13.2, so all you should need to do is put a rule on the LAN interface of the outside firewall blocking access from that IP.  If you want the 192.168.x.x subnet to be able to reach the other two subnets (10.10.10.0 and 10.10.12.0), you would need to allow that.  So, something like:

    allow from 10.10.13.2 => 10.10.10.0/24
    allow from 10.10.13.2 => 10.10.12.0/24
    deny from 10.10.13.2 => any



  • Maybe I'm missing something in my firewall setup, but that doesnt seem to help (althought that's what i originally figured)  I have a static route on the outside router 192.168.1.0/24 via 10.10.13.2; and that's only on the server interface



  • A static route should not be necessary - the point is that (unless you are doing something non-standard you haven't told us about), the 192.168.1.0/24 hosts will be NAT'ed to 10.10.31.2, so the route is pointless.  As to why this is not preventing those hosts from getting out, you would have to show us your LAN rules.  Are you sure you added them before the default rule - they are done top to bottom - first match wins.



  • Here is the rules.  (i left off guest, cause im not that concerned, it works, but i stops 10.10.12.x to 10.10.10.x and 10.10.13.x)

    Without the route put into the outside router nothing was able to ping to 192.

    I am new to this game, thanks for the help.

    If it matters the 10.10.13.x is on an opt1 interface




  • Two things: your rules should not be using "WAN address" as the destination, but '*', as otherwise you just block them from accessing the WAN IP itself, not outside hosts.  Also, you never said you wanted anyone outside the internal pfsense to be able to access the 192.168.1.0/24 hosts, so I didn't address that.  The solution there is to also stop doing NAT on the inside pfsense.


Log in to reply