Seperated internal private networks can talk to each other by default??



  • I was suprised tonight after accidently coming across something.  I have a pfsense box setup with 4 NICs.  1 external WAN using multiple aliases for 5 public ip addresses and the other 3 are separate internal subnets.  10.0.201.0/24, 203 and 205

    I have fairly standard stuff setup, some web ports, email ports translating on the WAN on the appropriate ip, etc.  What shocked me is i was sitting on the 201 network and punched in a 203 ip address to SSH to and got right in?!?!  The whole point of me separating these networks is to isolate the networks from the outside, dmz from private, etc.  Why would these different physical networks have the ability to communicate?  And how do I prevent it?!  Or is there something ridiculous I'm missing.  Thanks.


  • Rebel Alliance Developer Netgate

    That is completely up to your firewall rules.

    If you added a rule to pass from " <foo>subnet" to *, then of course it can talk to the other subnet.

    You need to make rules at the top of the list to block traffic from going to places you don't want to go, or be more restrictive with the rule passing out traffic (though if they need internet access then they really do need the default pass out rule)</foo>



  • Thanks for the info.  I did not think a dmz subnet outbound to * would allow the dmz subnet to access another private subnet on a different network card without explicitly stating that inbound rule on the private subnet to allow that inbound traffic?

    So here's my scenario, which seems pretty basic…let's just look at two of my networks then to keep it simple.  A private and a DMZ.  Both need Internet access for updates, etc. - but I do not want to allow the DMZ network direct access to my 10. addresses on my private.  Can't seem to get the right 'block' rule in place?

    DMZ:  10.0.203.0/24
    Private:  10.0.201.0/24

    I tried adding a block rule on my DMZ with a source of dmz subnet and interface of DMZ - but perhaps I need it on my private rules?  Thanks...this seems so ridiculously simple, i just can't seem to get the rule right to restrict it.  I also tried to change my outbound to any rule to just WAN network, but that didn't work either.  TIA.



  • got it myself.  thanks.  i added a block outbound rule on the DMZ to not allow it to go to the private subnet and put it above the all outbound and that is working.  thanks!


Locked