Specific port forwarding and internet access



  • So here's what I have set up:

    Two networks:
    LAN and MEDIA (opt interface)

    I have a slingbox located on my MEDIA network, along with a Wii console, and a DirecTV STB, so I think what I need to to allow internet access to this network so that the Wii and DirecTV STB can access the net for their purposes.

    For the slingbox it requires a port forward of port 5001. What I want is for only users on the LAN interface, specifically those connected via the openVPN network that I have set up to be on the LAN to be able to access the slingbox.

    In attempts to give the MEDIA interface internet I did an outbound NAT rule of any on all options, and I also had a any on all options rule in the MEDIA interfaces rules tab. This successfully gave the network internet access, but it also allowed both a client computer connected to the MEDIA interface or the LAN interface without being connected to the VPN.

    Does anyone know how to solve this? Do I need firewall rules? NAT rules? Both? Captive portal set up?

    Thanks in advance!



  • You will need both NAT rules for internet access and firewall rules to limit access to other parts of the network. Remember that rules are first matching, so a block rule after a allow all rule will not be effective. Any machine on the same network as what it is accessing will not go though the firewall and will have access to all that is on it. So a client computer connected to the MEDIA network accessing something on the MEDIA network will not get any blocks from any firewall.
    If you only want VPN access to slingbox, then you only need to add a rule to the OpenVPN tab to allow it. All others will be blocked if you have a LAN to OPT network block rule.

    Usually you trust LAN though. You can limit what IP has access over to MEDIA. I am not familiar enough with captive portal to know if using that might help instead of a VPN. Though I would imagine that throughput would be better without the encryption process of a VPN.



  • I don't normally read this forum. I received a PM from BroncoBrad:

    I'm really confused about internet access because I didn't know you had to set up NAT rules to allow internet access on interfaces that aren't the LAN interface; I thought it was just firewall rules. Is that the case?

    I need a more precise description of the access you want to allow. The reason is that the firewall rules apply to the interface on which the "connect initiate" is received. The following statement is ambiguous:
    @broncoBrad:

    I need to to allow internet access to this network so that the Wii and DirecTV STB can access the net for their purposes.

    Does it mean you need to allow systems on the internet to initiate connections to the Wii and DirectTV STB (in which case you probably need port forwards on your WAN interface) OR does it mean you need to allow the Wii and DirectTV STB to initiate connections to systems on the Internet (if which case you need appropriate firewall rules on the MEDIA interface). Maybe you want to allow both types of access.

    I'm not clear about the following:

    For the slingbox it requires a port forward of port 5001. What I want is for only users on the LAN interface, specifically those connected via the openVPN network that I have set up to be on the LAN to be able to access the slingbox.

    "port forward of port 5001" means "allow access to port 5001"? If really a port forward, port forward of connect initiates from where to what port? I don't understand how the VPN fits in this requirement! Is the VPN terminated in a system on the LAN? or on pfSense? the "other" end of the VPN is where? I suspect that it might be sufficient to add a firewall rule (or rules) to the LAN interface to allow connects to port 5001 on the Slingbox if they come from a particular set of IP addresses followed by a BLOCK rule on the LAN interface for all accesses to the MEDIA interface. But I don't understand the topology. Probably a diagram would help.



  • Thanks wallabybob for replying… the answer for the Wii and DirecTV STB is that the Wii and DirecTV STB will be initiating connections, which is why I thought that an allow any rule on the MEDIA interface was enough to give them access, but when I connected my PC to the MEDIA interface I do not have internet access. How come the PC doesn't get access?

    My initial post was ambiguous because I don't know exactly how the Wii and DirecTV STB connects to the internet all I know is that like the Wii uses it for connection to Netflix and DirecTV uses it to order Movies on Demand and so I assume just general internet access like going on a browser on the PC is all they need.

    The idea behind the slingbox setup is essentially setting up another level of security (i.e. VPN users) for access to my slingbox. The point is to be able to know exactly who I'm giving access to. Basically only users connected to the VPN should be able to access the slingbox.

    The reason I mentioned, port forwarding 5001 is because that's how I've always had to set it up to be able to connect via the web, like you said, the web becomes the initiator and thus I need to allow a forward from the WAN interface. If I were to set up my VPN to tunnel to the MEDIA interface that would give them access since they are on the same network yes??

    And by default LAN has access to the MEDIA interface yes? Or is that only because I have an any rule that allows me to initiate a connection anywhere?

    Thanks all!



  • Sorry I forgot to add a diagram.

    I'm not exactly sure how to draw it, but here goes:

    |–-----------------|        Tunnel          |--------------------|              |-----------------------------|
    |    PC on internet  |------------------> |  my pfSense        | -------->|    VPN User address network |
    |  w/ VPN config      |------------------> |                            |              |-----------------------------|
    |-------------------|                            |--------------------|                      |    |
                                                                                                                  |    | Tunnel
                                                                                                                  |    |
                                                                                                            |-----------------------|
                                                                    Slingbox  <------------------|          MEDIA network  |
                                                                                                            |----------------------

    I only want users in the VPN user address network to be able to access the slingbox. I don't even want other devices on the MEDIA network to be able to access the slingbox.

    Thanks!



  • Thanks for the diagram. I've "redrawn" it as "teletype" (all characters the same width).

    |–-----------------|        Tunnel      |--------------------|              |-----------------------------|
    |  PC on internet  |------------------> |  my pfSense      |------------->|    VPN User address network |
    |  w/ VPN config    |------------------> |                    |              |-----------------------------|
    |-------------------|                    |--------------------|                          |    |
                                                                                              |    | Tunnel
                                                                                              |    |
                                                                                        |-----------------------|
                                                          Slingbox  <------------------|        MEDIA network  |
                                                                                        |----------------------

    @broncoBrad:

    I only want users in the VPN user address network to be able to access the slingbox. I don't even want other devices on the MEDIA network to be able to access the slingbox.

    Unless the slingbox has a firewall there isn't any way I know of to prevent other devices on the MEDIA network accessing the slingbox. You could put the slingbox on its own interface on pfSense to prevent such access.

    @broncoBrad:

    the Wii and DirecTV STB will be initiating connections, which is why I thought that an allow any rule on the MEDIA interface was enough to give them access,

    Depends on what access they need. Do they expect to be able to initiate a connection to somewhere on the Internet and then expect that will initiate a connection back. Sometimes the manuals for these sorts of devices document requirements of firewalls.

    @broncoBrad:

    but when I connected my PC to the MEDIA interface I do not have internet access. How come the PC doesn't get access?

    Too many possibilities. Lets make a deal: You give me a clue along the lines of When I did … on the PC I saw ... but I expected to see ... and if the clue substantially reduces the possibilities I'll make a guess.

    @broncoBrad:

    My initial post was ambiguous because I don't know exactly how the Wii and DirecTV STB connects to the internet all I know is that like the Wii uses it for connection to Netflix and DirecTV uses it to order Movies on Demand and so I assume just general internet access like going on a browser on the PC is all they need.

    Maybe its like web access, maybe its like slingbox expecting internet system to initiate connection "back" to a specific port.

    @broncoBrad:

    The reason I mentioned, port forwarding 5001 is because that's how I've always had to set it up to be able to connect via the web, like you said, the web becomes the initiator and thus I need to allow a forward from the WAN interface. If I were to set up my VPN to tunnel to the MEDIA interface that would give them access since they are on the same network yes??

    I'm confused about the tunnel endpoints. One is a PC and the other is the pfSense box? (the diagram suggests to me that the slingbox is a tunnel endpoint.)

    @broncoBrad:

    And by default LAN has access to the MEDIA interface yes? Or is that only because I have an any rule that allows me to initiate a connection anywhere?

    Yes. pfSense creates such a default rule for LAN interface.



  • Okay.

    First of all can't I create a rule on the MEDIA interface that says any initiation from any IP address to the slingbox is blocked?

    Second, if I can get general internet access like using a web browser on the PC that's all I'm concerned about for the Wii and DTV STB. I'm pretty sure that the Wii and the DTV STB are always going to be the initiators out to the web.

    Third, alright, here's my clue. With no NAT outbound rules, and an any firewall rule for the MEDIA interface I expected that I would get internet browsing access on my PC, but that was not the case. Hopefully that clears up my confusing mess of comments.

    Fourth, sorry about the tunnel confusion. Part of the confusion is because I'm new to VPN. I believe the tunnel end point is the VPN user address network. So say I set up OpenVPN and I have my LAN at 192.168.1.1/24 and the OpenVPN network is 192.168.2.1/24, but I tell the OpenVPN network to tunnel to my LAN. So when I connect to the VPN does my PC now appear to the firewall rules on the 1.1/24 or the 2.1/24. If it is the 1.1/24 then I could just set up the VPN to tunnel to the MEDIA interface then the VPN user would appear like they're on the MEDIA interface and would have access to the slingbox, no WAN port forwarding necessary.

    Hopefully this clarifies my issues. Thanks for your patience and assistance.



  • Okay, I just tried it again (my third comment in my last reply), no NAT outbound rules, and only firewall rule listed in the MEDIA interface is an ANY rule. My wireless card connect straight to it and I have browsed several webpages just fine.

    Should it work this way? This is how I assumed it should work. If this is correct then, why did adding an ANY NAT outbound rule appear to fix it?

    Thanks!



  • @broncoBrad:

    First of all can't I create a rule on the MEDIA interface that says any initiation from any IP address to the slingbox is blocked?

    Sure you can create such a rule. It applies only to connection initiations received on the MEDIA interface. At the risk of assuming too much about your configuration, such connection attempts are unlikely to go through the firewall since they can go directly to the slingbox. Hence your rule is unlikely to do anything useful.

    @broncoBrad:

    Third, alright, here's my clue. With no NAT outbound rules, and an any firewall rule for the MEDIA interface I expected that I would get internet browsing access on my PC, but that was not the case.

    Sorry, this clue doesn't qualify. Surely the browser reported something when you attempted to access the internet.

    @broncoBrad:

    Fourth, sorry about the tunnel confusion. Part of the confusion is because I'm new to VPN. I believe the tunnel end point is the VPN user address network. So say I set up OpenVPN and I have my LAN at 192.168.1.1/24 and the OpenVPN network is 192.168.2.1/24, but I tell the OpenVPN network to tunnel to my LAN. So when I connect to the VPN does my PC now appear to the firewall rules on the 1.1/24 or the 2.1/24. If it is the 1.1/24 then I could just set up the VPN to tunnel to the MEDIA interface then the VPN user would appear like they're on the MEDIA interface and would have access to the slingbox, no WAN port forwarding necessary.

    So I presume you setup OpenVPN on both pfSense (as OpenVPN server) and the "Internet PC" in the diagram (as OpenVPN client). My understanding is that the pfSense OpenVPN server will appear as a distinct interface and that your firewall rule to allow access to the Slingbox will need to appear on that interface.

    @broncoBrad:

    Okay, I just tried it again (my third comment in my last reply), no NAT outbound rules, and only firewall rule listed in the MEDIA interface is an ANY rule. My wireless card connect straight to it and I have browsed several webpages just fine.

    Should it work this way? This is how I assumed it should work. If this is correct then, why did adding an ANY NAT outbound rule appear to fix it?

    After fiddling with firewall rules it is sometimes necessary to reset firewall states - see Diagnostics -> States and click on the Reset States tab. I guess adding the NAT rule fiddled with firewall states to achieve the same effect a a firewall states reset.



  • Okay… I'm having some success, but here's what I want.

    I want only those on the MEDIA interface and a VPN server tunnelled to the MEDIA interface to be able to access the slingbox.

    I believe that the outsider initiates the connection not the slingbox. Because I have to open a program on my desktop or a web browser to connect to the slingbox.

    So knowing that and I know the exact IP of my slingbox, what are the exact rules that I would need to block all other interfaces (networks), including LAN, from access the slingbox??

    I assumed that a rule on the say LAN interface that said BLOCK any proto any source MEDIA address dest would work, but it doesn't appear to work that way.

    Please help.

    Thanks a bunch for your time and patience.



  • @broncoBrad:

    I assumed that a rule on the say LAN interface that said BLOCK any proto any source MEDIA address dest would work, but it doesn't appear to work that way.

    You reset firewall states after adding the rule? (See my previous post.)



  • I'm pretty sure I reset the states. I'll try again later today and check back with you, but I assume from your comment that the rule should work?



  • You rule needs to come BEFORE (higher up the page) any allow rule the packet might match. Packets are compared with rules from the top down. First match stops the comparison. Otherwise rule looks OK.


Log in to reply