Set up questions



  • What I'm looking for is to tap into the knowledge of folks on these boards that have much more experience with networking than myself. I know a little bit more than the common computer user, but my questions pertain to suggestions about what needs security and then how I would set up firewall rules with pfsense to accomplish those things. Also if there is a better place to re-post this let me know as I'm new to these forums.

    My equipment:
    pfSense box with 4 nics
    buffalo router as an access point
    linksys router as an access point
    linksys ethernet bridge

    I'm looking to make 3 networks.
    I want an internet-only network for guests that want to use the internet.
    I want a network for an ftp/web server.
    I want my private network for my family.
    I also want my devices that access the internet such as slingbox, Wii, directv receiver to not be seen by the rest of whatever network their on.

    Also, I want to learn how to set up a VPN so that I can remote desktop to my computer on my private network along with when i'm connected to my VPN my slingbox is streaming as though it's on the same network as my computer (what I mean is that it's not limited to my ISP upload speed), so hence I'm not sure if that's possible.

    So here's my thought process I would have my personal network on one nic. My server would be on the second nic. Then my internet-only network would be on the third nic and all my devices such as the slingbox would be on the same nic but would have a different subnet (guests computers have a .255 subnet mask, and devices have like a .48 subnet mask. Does that stop guests from seeing the devices?

    Other questions I have are how do I protect my server with firewall rules? How do I limit guests to internet only with firewall rules? How do I set up a VPN for remote desktop. Also I want to make sure that from my private network I can acess the other two networks, but the other two networks should not be able to see/access my private network.

    Help me please!

    I have uploaded an image trying to show what I'm looking to do. Thanks!

    ![pfSense Network.jpg](/public/imported_attachments/1/pfSense Network.jpg)
    ![pfSense Network.jpg_thumb](/public/imported_attachments/1/pfSense Network.jpg_thumb)



  • So after further research I’m going to ask some more direct questions with a more exact set up.  Sorry for the newbie questions.
    First of all I would like to know if this set up will work:

    pfSense box: 192.168.0.0
    nic1: 192.168.2.0 – private network
    nic2: 192.168.3.0 – guest network (wifi)
    nic3: 192.168.4.0 – media network (wii, slingbox, directv)
    nic4: 192.168.5.0 – server network (web, ftp)

    This isolates all my devices correct? So say someone on the wifi network shouldn’t be able to see or find my computer on the private network, correct? Or do I need firewall rules to prevent access?

    Second question: What’s the best way to limit the number of users on a network? Is it by setting the mask in each network to something like /28 to limit the network to 14 users? If that’s the case do I even need separate 3rd octet values for each network (remembering that I’m trying to limit access)? Couldn’t I do something like:

    Nic1: 192.168.2.0 (2.1 – 2.14 being user range)
    Nic2: 192.168.2.16 (2.17 – 2.30 being user range)
    Nic3: 192.168.2.32 (2.33 – 2.46 being user range)
    Nic4: 192.168.2.48 (2.49 – 2.62 being user range)

    Or does this allow communication between each network?

    Onto the more pfSense related questions:

    #1: How do I limit traffic on the guest network to say 5Mb/download?
    #2: How do I set up VPN to my personal computer on the private network for remote desktop connection?
    #3: How do I limit access to only ftp or web access from external sources?
    #4: How do I block access to the access point set up on say the guest network?
    #5: How do I allow the private network (more specifically my computer) to access the rest of the network?

    Sorry for so many questions, I am new to using the full features of pfSense.

    Thanks for any and all help.



  • @broncoBrad:

    First of all I would like to know if this set up will work:

    pfSense box: 192.168.0.0
    nic1: 192.168.2.0 – private network
    nic2: 192.168.3.0 – guest network (wifi)
    nic3: 192.168.4.0 – media network (wii, slingbox, directv)
    nic4: 192.168.5.0 – server network (web, ftp)

    Don't you need another NIC to connect to the Internet?

    @broncoBrad:

    This isolates all my devices correct? So say someone on the wifi network shouldn’t be able to see or find my computer on the private network, correct? Or do I need firewall rules to prevent access?

    Use WiFi encryption to block WiFi access and firewall rules to restrict access beyond pfSense.

    @broncoBrad:

    Second question: What’s the best way to limit the number of users on a network? Is it by setting the mask in each network to something like /28 to limit the network to 14 users? If that’s the case do I even need separate 3rd octet values for each network (remembering that I’m trying to limit access)? Couldn’t I do something like:

    Nic1: 192.168.2.0 (2.1 – 2.14 being user range)
    Nic2: 192.168.2.16 (2.17 – 2.30 being user range)
    Nic3: 192.168.2.32 (2.33 – 2.46 being user range)
    Nic4: 192.168.2.48 (2.49 – 2.62 being user range)

    That would work though in each case your NICs need an IP address in the "user range".
    There is plenty of address space available in 192.168/16 so if you want to adopt this approach I suggest you leave some gaps so you can easily tweek the numbers up if required.

    @broncoBrad:

    Or does this allow communication between each network?

    Only if you create firewall rules allowing it.

    @broncoBrad:

    #1: How do I limit traffic on the guest network to say 5Mb/download?
    #2: How do I set up VPN to my personal computer on the private network for remote desktop connection?

    See the pfSense doc site http://doc.pfsense.org and search the forums for traffic shaper and VPN (or IPSEC, OpenVPN or PPTP) respectively.

    @broncoBrad:

    #3: How do I limit access to only ftp or web access from external sources?

    Default firewall rules on pfSense WAN interface block all access initiated from WAN. You can open access by port forward Firewall -> NAT rules for http and ftp.

    @broncoBrad:

    #4: How do I block access to the access point set up on say the guest network?

    Firewall rules on the other interfaces and (if appropriate) access restrictions in the AP.

    @broncoBrad:

    #5: How do I allow the private network (more specifically my computer) to access the rest of the network?

    Connect it to the pfSense LAN interface and enjoy the freedom granted by the default firewall rules on that interface (all access allowed).



  • Sorry yes, I have another NIC that I didn't list as the WAN interface.

    Thank you for answering my question about having all the networks 3rd octet the same. I don't think I'll go that route, mainly for like you said expansion.  This may sound dumb but how do I set up WiFi encryption? Is there something in pfSense or in the APs outside of WPA2 authentication?  Can you tell me specifically the firewall rules I'd need to set up for:

    #1 giving my computer in the private network access to everything in the other networks (I think you (wallabybob) answered this by saying that the LAN interface takes care of this is that correct without any extra explicit rules?? That's a special feature of the LAN not any other interfaces?)
    #2 blocking the networks from seeing the other networks (or does this happen automatically by them being separate)

    So if I understand your post (wallabybob) you siad that for my server, the website will not work (be accessed on the web) by default because everything is blocked and thus I need to explicitly open a port using NAT rules??

    Thanks wallabybob for your help. Sorry if my follow up questions sound meticulous or re-iterated, I'm just trying to confirm and double-check what I understand.



  • @broncoBrad:

    how do I set up WiFi encryption? Is there something in pfSense or in the APs outside of WPA2 authentication?

    Configure Access Points to use WPA2 authentication.

    Another option for authentication would be to enable Captive Portal on one or more interfaces. Wikipedia has a reasonable article on Captive Portals. Internet Cafes could use captive portal and voucher authentication to provide an unencrypted WiFi access to people who buy a voucher. There are some articles on Captive portal in the pfSense doc site.

    @broncoBrad:

    Can you tell me specifically the firewall rules I'd need to set up for:

    #1 giving my computer in the private network access to everything in the other networks (I think you (wallabybob) answered this by saying that the LAN interface takes care of this is that correct without any extra explicit rules?? That's a special feature of the LAN not any other interfaces?)

    Yes and yes. LAN and WAN are special to support common requirements. For security reasons other interfaces default to "no access".

    @broncoBrad:

    #2 blocking the networks from seeing the other networks (or does this happen automatically by them being separate)

    Yes.

    @broncoBrad:

    So if I understand your post (wallabybob) you siad that for my server, the website will not work (be accessed on the web) by default because everything is blocked and thus I need to explicitly open a port using NAT rules??

    yes



  • Thanks wallabybob for being patient with me and answering all my questions.

    I've got two more:

    #1 What's the most secure or strict firewall rule to limit access on an OPT interface to internet-only access?

    #2 Can you give me an example of rule for denying both a) an entire OPT interface network from having access to its access point configuration? b) a single device within the LAN interface from having access to its access point configuration?

    Thanks again for all your patience and help!



  • @broncoBrad:

    Thanks wallabybob for being patient with me and answering all my questions.

    I've got two more:

    #1 What's the most secure or strict firewall rule to limit access on an OPT interface to internet-only access?

    tcp trafic destination port through well implemented squid and deny anything else

    @broncoBrad:

    #2 Can you give me an example of rule for denying both a) an entire OPT interface network from having access to its access point configuration? b) a single device within the LAN interface from having access to its access point configuration?

    It depends where you're accespoint is(meaning network) and what it's(cisco aironet could have own acl's)



  • @broncoBrad:

    #1 What's the most secure or strict firewall rule to limit access on an OPT interface to internet-only access?

    Interface firewall rules are processed from the top down until the first match. Suppose all your private networks have IP addresses in 192.168.0.0/16 then you could do it one rule. Go to Firewall -> Rules click on the tab for the appropriate interface, Click on the "+" button beside the table heading to add a new rule at the top, then add this rule:
    Action=PASS, Protocol=any, Source=any, Destination=(not=ticked, type=network,  address=192.168.0.0/16)
    (unspecified fields can be left at default values).
    With that rule, any access to an address outside 192.168.0.0/16 will be allowed to pass through the firewall and any access to an address in 192.168.0.0/16 will fall into the interface default block rule.

    @broncoBrad:

    #2 Can you give me an example of rule for denying both a) an entire OPT interface network from having access to its access point configuration? b) a single device within the LAN interface from having access to its access point configuration?

    a) No because an access attempt to a WiFi access point on the same network will normally happen directly without going through the firewall. You will need to invoke access restrictions on the AP itself.
    b) see a)

    @broncoBrad:

    Thanks again for all your patience and help!

    You're welcome.



  • I need help quickly so my wife can have the internet back.

    I upgraded to pfsense 2.0rc3 but did some network changing after it upgraded.

    So now I can't access the internet on my LAN pc's.

    my WAN is DHCP and can ping google.com successfully.
    my LAN is static 192.168.26.129/28.
    DHCP server is enabled on the LAN, with a range of 192.168.26.130 - 192.168.26.135
    the LAN nic goes into a wireless ap, with an address of 192.168.26.136

    i can ping google.com via diagnostics on pfsense from LAN interface and can access web configurator from LAN pc.
    but when trying to ping 192.168.26.129 from diagnostics on wireless ap or lan pc, it fails.

    please help!



  • I figured it out… I create a rule of:

    PASS if=LAN proto=ANY src=ANY dst=ANY

    I don't believe I needed this in the past, why do I need it now? I thought LAN was assumed to have access without additional rules?



  • @broncoBrad:

    I figured it out… I create a rule of:

    PASS if=LAN proto=ANY src=ANY dst=ANY

    I don't believe I needed this in the past, why do I need it now? I thought LAN was assumed to have access without additional rules?

    1. Your network changing "broke something" temporarily - perhaps you changed IP addresses or network masks and your DHCP clients didn't renew their leases.
    2. It did when I upgraded some months ago.



  • So in your set up wallaby, do you have a rule similar to the one I created?

    I feel like that just opened/exposed my LAN network a lot.



  • @broncoBrad:

    So in your set up wallaby, do you have a rule similar to the one I created?

    Yes, but it is the Default allow LAN to any rule.

    @broncoBrad:

    I feel like that just opened/exposed my LAN network a lot.

    Firewall rules apply on the input side of an interface. Hence adding a PASS rule to the LAN interface potentially allows computers on the LAN interface to access computers that may have been blocked previously; it doesn't allow more computers to access your LAN computers.



  • I feel dumb for asking this and I really appreciate your patience with me wallabybob.

    How does it not allow other computers (outside the LAN network) to see my LAN computers? If I leave the rule I made last night that basically says allow anything to pass into the LAN interface doesn't that open it up to unwanted access from the outside or is that stopped by the WAN rules and/or the pfSense logic of separating networks by interface?

    Thanks again so much for your time and help!



  • @broncoBrad:

    I feel dumb for asking this and I really appreciate your patience with me wallabybob.

    No problem. We were all beginners once.

    @broncoBrad:

    How does it not allow other computers (outside the LAN network) to see my LAN computers? If I leave the rule I made last night that basically says allow anything to pass into the LAN interface doesn't that open it up to unwanted access from the outside or is that stopped by the WAN rules and/or the pfSense logic of separating networks by interface?

    Interface firewall rules apply only on entry into the firewall on that interface.

    Suppose you have a firewall with WAN, LAN and OPT1. A computer on OPT1 attempts to access a computer on LAN. If the access attempt passes the interface rules on OPT1 it goes straight through - the interface rules on LAN are not consulted.



  • Need help! I set up my server box today and have it getting an address via DHCP right now to try and solve my issue (will me static in the future).

    The problem is right now pfSense can't see the box. The server is directly connected to one of my pfSense NICs. The NICs IP is 192.168.1.1/30 the DHCP range is from 192.168.1.2 to 192.168.1.2.

    The server obtains the DHCP address correctly. I've added the PASS any, any, any rule on the 192.168.1.1 NIC. Still nothing.

    Is there something special I need to do?

    Thanks!



  • @broncoBrad:

    The problem is right now pfSense can't see the box. The server is directly connected to one of my pfSense NICs. The NICs IP is 192.168.1.1/30 the DHCP range is from 192.168.1.2 to 192.168.1.2.

    The server obtains the DHCP address correctly. I've added the PASS any, any, any rule on the 192.168.1.1 NIC. Still nothing.

    Is there something special I need to do?

    How is pfSense trying to "see" the server and what response is displayed when a "see" attempt is made?

    Does your pfSense box have multiple interfaces in 192.168.1.1/30?



  • Okay, let me see if I can explain a little better.

    I have a OPT NIC labeled "Server", it has an address of 192.168.1.1/30. With that net the only hosts available in that range are 192.168.1.1 (in use by the NIC) and 192.168.1.2 (which is the address obtained by the server via DHCP).

    Does your pfSense box have multiple interfaces in 192.168.1.1/30?

    No, I do not have any interfaces with that same range.

    The server is directly connected to the NIC via a crossover cable. When I say it can't see it I mean via PING. I use the diagnostics->ping from the web configurator and tell it to PING 192.168.1.2 from the "Server" interface and it responds with 3 timeouts/lost packets.

    I also tried PINGING 192.168.1.1 from the server box and same result.



  • I also had a general question about firewall rules since I'm pretty sure that's what's stopping my server.

    If I'm trying to BLOCK a computer based on a certain time schedule say on the OPT1 interface.

    #1 I put the rule in the OPT1 interface tab correct? Not the WAN interface?
    #2 When I put the rule in the OPT1 interface, do I put the computer IP as the source or the destination? If the firewall rules are only checked on packets coming INTO the interface I'd put the computer IP as the destination correct?
    #3 If I'm correct on #2 when is an example of a time when the source would need to be filled in? Would that be like traffic flow from one network to another network in pfSense?

    I ask these for to answer the question of allowing internet only access, I would have a rule like:

    PASS TCP/UDP Source:ANY Destination:ANY Port:80 to 80

    Correct?

    Thanks!



  • @broncoBrad:

    The server is directly connected to the NIC via a crossover cable. When I say it can't see it I mean via PING. I use the diagnostics->ping from the web configurator and tell it to PING 192.168.1.2 from the "Server" interface and it responds with 3 timeouts/lost packets.

    The server configuration allows ping responses? Does a packet capture on the interface connected to the server show outgoing pings?

    @broncoBrad:

    I also tried PINGING 192.168.1.1 from the server box and same result.

    Have you checked the pfSense firewall log (Status -> System Logs, click on Firewall tab) to see if your ping attempt has been blocked by the firewall?

    @broncoBrad:

    If I'm trying to BLOCK a computer based on a certain time schedule say on the OPT1 interface.

    Interface firewall rules apply on entry of a particular access attempt to the firewall.  Hence if you are trying to block access attempts by a computer on OPT1 you would use interface firewall rules on OPT1. If you are trying to block access attempts TO a computer on OPT1 you would specify interface firewall rules on the interface on which the access attempt arrives at the firewall.

    @broncoBrad:

    If I'm trying to BLOCK a computer based on a certain time schedule say on the OPT1 interface.

    #1 I put the rule in the OPT1 interface tab correct? Not the WAN interface?
    #2 When I put the rule in the OPT1 interface, do I put the computer IP as the source or the destination? If the firewall rules are only checked on packets coming INTO the interface I'd put the computer IP as the destination correct?
    #3 If I'm correct on #2 when is an example of a time when the source would need to be filled in? Would that be like traffic flow from one network to another network in pfSense?

    You need to be precise. Do you mean you want to block access attempts TO a computer on OPT1 or do you mean you want to block access attempts FROM a computer on OPT1? In the following answers I'll assume you mean you want to block access TO a computer on OPT1.
    #1. You need firewall rules on all interfaces on which the access attempt arrives at the firewall (could be both WAN and LAN and …)
    #2. In the firewall rules source means origin of the access attempt, destination means target of the access attempt.
    #3. You need to consider the set of rules for the interface, not just single rules. My ISP allocates me peak and off-peak download quotas for the month. If I go over quota my speeds are dropped considerably. My son does big games downloads. I want to block HIS access to the games servers in peak times. His computer is on LAN which has the standard allow LAN to any rule. As first rule on the interface I add a BLOCK rule to LAN to block access FROM his computer TO game servers in peak times. Any access from other computers doesn't match that rule and falls into the LAN default rule allowing access.

    @broncoBrad:

    I ask these for to answer the question of allowing internet only access, I would have a rule like:

    PASS TCP/UDP Source:ANY Destination:ANY Port:80 to 80

    Correct?

    Again, you probably need to be a bit more precise:
    1. internet only access: your rule wouldn't allow POP3 or IMAP or SMTP or ssh or telnet or ping or … and you probably don't want to specify a specific source port.
    2. This rule needs to be interpreted in the context of other rules on the interface. It wouldn't be needed on the LAN interface if you have the default LAN rules but something like it would be needed on OPT1 if you wanted OPT1 computers to access the internet AND that access wasn't allowed by OPT1 rules further down the rule list.



  • The server configuration allows ping responses? Does a packet capture on the interface connected to the server show outgoing pings?

    By this are you asking if my server responds to pings? I'm pretty sure it does because at one point I had it set up with a shared connection on my personal computer while I was setting it up and the pinging work. I guess my other definition of "see" is that the server doesn't have internet access, but I don't think it's a firewall rule since I have the any rule and a diagnostics–>ping didn't work.

    Does a packet capture on the interface connected to the server show outgoing pings?

    Haven't tried yet. Will try to set up packet capture and see what I can see.

    Have you checked the pfSense firewall log (Status -> System Logs, click on Firewall tab) to see if your ping attempt has been blocked by the firewall?

    Again, haven't tried yet, although this is difficult when I have to be in a completely different part of my house to access the server than to access my system logs and the system logs only hold the last 50 entries.

    You response helped me get a better understanding of firewall rules. I understand that I wasn't very precise and I also understand looking at rules within context of all interfaces, but here's my question to clarify my understanding:

    His computer is on LAN which has the standard allow LAN to any rule. As first rule on the interface I add a BLOCK rule to LAN to block access FROM his computer TO game servers in peak times. Any access from other computers doesn't match that rule and falls into the LAN default rule allowing access.

    Why is it "FROM" (i.e. Source) and "TO" (i.e. Destination) on the LAN interface? I guess what I'm saying is if you're looking at when it arrives at the firewall I thought it was only coming into the LAN thus the rule doesn't make any sense, but if it's both going in and out then the rule makes sense. So instead of just doing a Destination rule to your son's computer (which would allow his attempts out to the internet, WAN), but be blocked on the way back in, you stop it from even going out the LAN, correct?

    Thanks!



  • A TCP connection (say to send an email) has a special sequence to establish a connection and a special sequence to teardown a connection.

    A flow is a data structure describing data transfer within a connection. It will normally have at least source IP, source port, destination IP and destination port. Thus a connection has two associated flows (because data can travel in both directions).

    Simplified firewall processing - packet arrival at firewall Is there a flow for this packet?
    Yes - forward the packet.
    No - Is this a connection setup?
        No - discard packet
        Yes - Does this connection setup match an ALLOW rule for this interface?
            No - discard packet
            Yes - create flow for this direction of data transfer,
                create flow for reverse direction of data transfer,
                forward connection setup

    @broncoBrad:

    His computer is on LAN which has the standard allow LAN to any rule. As first rule on the interface I add a BLOCK rule to LAN to block access FROM his computer TO game servers in peak times. Any access from other computers doesn't match that rule and falls into the LAN default rule allowing access.

    Why is it "FROM" (i.e. Source) and "TO" (i.e. Destination) on the LAN interface? I guess what I'm saying is if you're looking at when it arrives at the firewall I thought it was only coming into the LAN thus the rule doesn't make any sense, but if it's both going in and out then the rule makes sense. So instead of just doing a Destination rule to your son's computer (which would allow his attempts out to the internet, WAN), but be blocked on the way back in, you stop it from even going out the LAN, correct?

    The simplified firewall processing description says the firewall rules are consulted only on an attempt to setup a connection and if that attempt is allowed then the "back traffic" to the initiator of the connection is also allowed. The firewall rules apply to connection setup attempts. If my son wants to have a conversation with his games servers the firewall will see on the LAN interface a connection setup attempt FROM his computer TO a games server. If the firewall allows that connection attempt (and the target accepts it) then all traffic (both directions) on that connection is allowed.


Log in to reply