Intenret any access but not in internal networks

subfire91

im trying to configure a rule for internal hosts to have any internet access but not to other internal hosts or networks. when i use the rule :

Protocol:any      Source: internal host    Source port: any    Target: external address  Target port: any.

External address object is one of pfsense's default included objects. Using this rule i cannot go out to the internet. Any suggestions??

thnx

GruensFroeschli

There is no way for the pfSense to filter internal traffic.
You can only filter if the traffic goes over the pfSense (eg. you have a separate network on which all your servers are).

subfire91

@GruensFroeschli:

There is no way for the pfSense to filter internal traffic.
You can only filter if the traffic goes over the pfSense (eg. you have a separate network on which all your servers are).

i have 3 interfaces on the firewall. one for wan and other two for internal networks. what i meant was any access to internet but not to other internal networks

GruensFroeschli

Ok.
In this case you can do it like this:

1: Create an alias containing all your local subnets.
2: Create a rule:
Allow; Protocol: any; Source: LAN/OPT-subnet; Source-port: any; Destination: !Alias; Destination-Port: any

(!Alias = NOT Alias)
So you allow all connections which have as destination not your alias.
Connections with as destination your alias will be blocked by the default block rule.

subfire91

@GruensFroeschli:

Ok.
In this case you can do it like this:

1: Create an alias containing all your local subnets.
2: Create a rule:
Allow; Protocol: any; Source: LAN/OPT-subnet; Source-port: any; Destination: !Alias; Destination-Port: any

(!Alias = NOT Alias)
So you allow all connections which have as destination not your alias.
Connections with as destination your alias will be blocked by the default block rule.

Basically what i want to do is to have any access to internet but service specific access to other LANs

GruensFroeschli

The rule i described allows access to the internet and blocks access to the other LANs.
To allow specific stuff now, just create additional rules above this one.

Jahntassa

@subfire91:

Basically what i want to do is to have any access to internet but service specific access to other LANs

I had the same thought. I have yet to actually make my pfsense setup live (i'm pre-configuring so the transition is as quick as possible), but I had a similar issue coming from Sonicwall Logic to pfSense logic.

~~What i'm going to try, as I have multiple internal interfaces, is to do a 'default deny' where the rule is:

Deny: Protocol - Any; Source: (interface); Source Port: Any; Destination: !WAN

If my logic is right, that should deny any traffic not meant for the WAN, and then as said, add individual rules above that one for the specific stuff. As said I don't have the system implemented yet, but I may need to add an 'all access' rule below that one, so the processing goes:

1. Allow specifics
2. Deny non-WAN
3. Allow All

Rule 3 is important as I believe pfSense simply does nothing without a rule present, and since the Deny rule precedes the Allow, only WAN traffic should be allowed via rule 3.~~

Bah, scratch all that. Gruens I think has it right, as I forgot the 'WAN' in the dropdowns is for the actual WAN IP, not as a 'zone' kind of deal like on Sonicwalls.