Block WAN to ALL exept given host group alias "netok"

futaba

Hello, i have a simple pfsense setup here, exept, the WAN is behind a first router, therefore :

First things first, i'm running : 1.0.1-SNAPSHOT-01-11-2007

WAN:
ip: 192.168.2.1
gate: 192.168.2.254
mask: 255.255.255.0
DNS: ISP given ones
Block private networks : OFF

LAN:
ip: 192.168.0.254
mask: 255.255.255.0

Below is a snippet of my alias file :

Two groups: one called "netok" with machines that will be allowed to browse the net; one hostalias called ftpsrv which will be the only ftp server allowed for non members of group "netok"

<aliases><alias><name>ftpsrv</name>

<address>195.13.59.53</address>

<descr>ftp server</descr></alias>
<alias><name>netok</name>

<address>192.168.0.253 192.168.0.180 192.168.0.61 192.168.0.62 192.168.0.63 192.168.0.150 192.168.0.149</address>

<descr>internet granted</descr></alias></aliases>

And below is my rules file, pretty basic :
(from bottom to top)

Allow all from lan_subnet to all
Deny all from lan_subnet to not lan_subnet
Allow all from netok to not lan_subnet

<filter><rule><type>pass</type>
<interface>lan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>

<address>netok</address>

<destination><network>lan</network></destination>
<descr>allow lan to netok group</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>block</type>
<interface>lan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<network>lan</network>

<destination><network>lan</network></destination>
<descr>block traffic from lan subnet to NOT lan subnet</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<descr>Default LAN -> any</descr>
<interface>lan</interface>
<source>
<network>lan</network>

<destination><any></any></destination></rule></filter>

With this setup i can access the net (!lan subnet) with machine members of alias "netok"
Does this look like the proper way to achieve this ?

Second, and the non working part:
I would like all machines NOT members of "netok" to be abble to acces one remote ip for FTP.
To make tests even more easier, i added the following rule:

allow all from NOT netok to ftpsrv

<rule><type>pass</type>
<interface>lan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>

<address>netok</address>

<not><destination><address>ftpsrv</address></destination>
<descr>allow ftp from not netok to ftpsrv</descr></not></os></statetimeout></max-src-states></max-src-nodes></rule>

Problem is that using this, the machines not belonging to "netok" group can now ping the "ftpsrv" hostaliast, but when trying to connect via ftp, connection never succeeds..
I don't even get an ftp prompt.

What could i be missing .. ?

hoba

For the first part of your question:
You need portforwards too as you have a NAT setup (I guess you have, not sure about that as you don't mention turning off advanced outbound nat).

For the second part:
pfSense utilizes an ftp proxy to handle ftp connections and nat. For your setup it might be better to turn it off (interfaces, lan, fthelper checkbox). By turning it off you will only be able to use passive ftp from lan to a server at wan. However you then can more easily write firewallrules for ftp.