Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Nested firewalls for "defense in depth"

    Firewalling
    2
    6
    2.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dmcnet
      last edited by

      I have a network I'm trying to setup with two firewalls.  I would like to restrict the 192 network from leaving out the WAN of the 1st firewall (that is block Internet access).  Currently the 192 can get to the Internet, employee, server and guest network.  I assume there is a firewall rule that I can use to accomplish this?  I have tried a few different things on the WAN and Server interfaces of the 1st firewall.

      (by the way when i say first firewall, I mean the one that is facing the Internet)

      Thanks
      Masters_Diagram.jpg
      Masters_Diagram.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • D
        danswartz
        last edited by

        This should be easy.  The 192.168.x.x. traffic will be NAT'ed to 10.10.13.2, so all you should need to do is put a rule on the LAN interface of the outside firewall blocking access from that IP.  If you want the 192.168.x.x subnet to be able to reach the other two subnets (10.10.10.0 and 10.10.12.0), you would need to allow that.  So, something like:

        allow from 10.10.13.2 => 10.10.10.0/24
        allow from 10.10.13.2 => 10.10.12.0/24
        deny from 10.10.13.2 => any

        1 Reply Last reply Reply Quote 0
        • D
          dmcnet
          last edited by

          Maybe I'm missing something in my firewall setup, but that doesnt seem to help (althought that's what i originally figured)  I have a static route on the outside router 192.168.1.0/24 via 10.10.13.2; and that's only on the server interface

          1 Reply Last reply Reply Quote 0
          • D
            danswartz
            last edited by

            A static route should not be necessary - the point is that (unless you are doing something non-standard you haven't told us about), the 192.168.1.0/24 hosts will be NAT'ed to 10.10.31.2, so the route is pointless.  As to why this is not preventing those hosts from getting out, you would have to show us your LAN rules.  Are you sure you added them before the default rule - they are done top to bottom - first match wins.

            1 Reply Last reply Reply Quote 0
            • D
              dmcnet
              last edited by

              Here is the rules.  (i left off guest, cause im not that concerned, it works, but i stops 10.10.12.x to 10.10.10.x and 10.10.13.x)

              Without the route put into the outside router nothing was able to ping to 192.

              I am new to this game, thanks for the help.

              If it matters the 10.10.13.x is on an opt1 interface

              rules.JPG
              rules.JPG_thumb

              1 Reply Last reply Reply Quote 0
              • D
                danswartz
                last edited by

                Two things: your rules should not be using "WAN address" as the destination, but '*', as otherwise you just block them from accessing the WAN IP itself, not outside hosts.  Also, you never said you wanted anyone outside the internal pfsense to be able to access the 192.168.1.0/24 hosts, so I didn't address that.  The solution there is to also stop doing NAT on the inside pfsense.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.