Secure firewall rules for guest access



  • Hello!

    I am quite new to pfSense so this might be a typical stupid newbie question, but I'm not sure, if it is correct and secure what I'm doing. I would be very happy, if you could tell me your opinion about my firewall question…  :)
    I have a private network at home that looks like this:

    
                              Internet
                                 |
                             WAN | dyn. IP
                          +–----+-------+
                          | Router       |
                          | (FRITZ!Box)  |
                          | NAT,DHCP,DNS |
                          +------+-------+
                             LAN | 192.168.0.1
                                 |
     +-------------+-------------+------------+------------+
     |             |             |            |            |
    PC1         Wifi AP          |           PC2          PC3
           (private network)     |
                             WAN | 192.168.0.5
                          +------+-------+
                          | pfSense      |       Wifi
                          | (pfsense)    |...  "guest"
                          | NAT,DHCP,DNS |    192.168.2.x
                          +--------------+
                           |            |
                           |            |
                           |            |
                          LAN          LAN
                      192.168.3.x  192.168.1.x
                      "neighbour"
    
    

    The 192.168.0.0/24 network is my private network. I would like to use pfSense to grant only internet access to the "neighbour" (192.168.3.0/24) and "guest" (192.168.2.0/24) networks. They must not have access to my private network. The Wifi network uses the Captive portal. My firewall rules look like this:

    The first rule seems to be necessary to answer DNS requests from my primary router 192.168.0.1.
    The second rule allows access to the Captive portal.
    The third rule allows only internet access without access to any private networks.
    CP is an alias for 192.168.2.1 (the Captive portal), PRIVATE means 192.168.0.0/16

    My questions are:

    • Do both networks really only reach the internet  and nothing else?

    • Is it secure this way?

    • Is it possible/necessary to restrict the firewall rules even more?

    • It took my quite a while to figure that out and looks complicated to me. Is it possible to simplify the set of rules?

    I'm looking forward for your comments!

    THX a lot!

    Tom



  • Generally you put the protected networks inside the untrusted networks, the way you've laid your network out is the wrong way around for this. You really should re-arrange your network to hang the private network off the pfSense firewall, possibly swapping it with the "neighbour" network.

    Your rules will allow anybody on the Wifi net access to port 53/UDP on any host (including the private network) - be aware that DNS uses TCP quite regularly and you must create a rule for that, or use your pfSense host as the DNS server for the Wifi net. They also allow TCP access to CP on port 8000 and any service on any network that isn't included in the PRIVATE alias (the PRIVATE alias includes the pfSense host).

    Obviously we can't say anything about the neighbour network since you didn't provide any rules relating to it.



  • Hi!

    Thank you for your answer! I understand what you are saying. I must admit, that this was the fastest way to grant internet access for both wifi users and my neighbour. But you totally convinced me. I will re-arrange my network first. Unfortunately I'll have to keep my primary router for VOIP which makes everything a little bit more complicated… :-( Today I bought "pfSense - The Definitive Guide" and started reading. Hopefully it will clear things up a bit... Again thanks a lot for your comment!

    Regards,

    Tom


Locked