Multiple LANs to WAN on a local subnet - firewall rules



  • Hello,

    I've got a question about how to organize my firewall rules for multiple LANs/Vlans on a 8 ethernet ports appliance with pfsense 2.0.1.

    My configuration simplified is (actually, i've got 8 LANs and VLANs):

    LAN1–---|-|
    LAN2-----| |---  WAN  ---  ISP ROUTER  ---  INTERNET

    For exemple :
    LAN1 = 192.168.0.0/24
    LAN2 = 192.168.1.0/24
    WAN = 90.1.1.130/30
    ISP router= 90.1.1.129/30

    My public address is 90.1.1.130 (the one i reach from outside)

    In "System / Routing / Gateway", i've added the following default gateway :
    name : WANGW (default)     
    interface : WAN
    Gateway IP : 90.1.1.129

    Wan interface is set as follow : Static ... IP address = 90.1.1.253/30      Gateway = WANGW

    so the question is :

    On LAN interface, if i add the following rule :
    Proto        Source              Port        Destination        Port          Gateway
    TCP         LAN subnet     *         WAN Subnet        80              *

    HTTP still keep blocked, and i think because the firewall plays "Wan Subnet as only corresponding to the subnet 90.1.1.253/30

    So if i want it to work, i need to use :
    Proto        Source              Port        Destination        Port          Gateway
    TCP       LAN subnet     *             *                  80              *

    OK, but my problem is that with multi LANs, i need to add several rules to stop the trafic from LAN to other LANs.

    Can i simplify this ? How to tell pfsense that the WAN subnet is corresponding to all subnets that are not on a LAN or VLAN interface and then beeing able to use the "WAN subnet" identification for my rules.
    Or maybe i'm all wrong since the beginning, then tell me please, coz i've missed something…

    Many thanks in advance,

    Regards,
    Guillaume



  • Create an alias with all your networks and then change dest ***** to dest not local network alias

    Proto        Source              Port        Destination        Port          Gateway
    TCP          LAN subnet        *              !my_nets          80              *

    or a rule before http rule

    action Proto        Source              Port        Destination        Port          Gateway
    deny any          LAN subnet        *              !my_nets          *              * 
    allow TCP          LAN subnet        *              !my_nets          80              *



  • That's what i was going to do, but i prefered ask before, then no other way…

    Don't we need to place the allow TCP:80 rule before ? In your case, pfsense find the deny first, then it blocks...

    action Proto        Source              Port        Destination        Port          Gateway
    deny any          LAN subnet        *              !my_nets          *              *
    allow TCP          LAN subnet        *              !my_nets          80              *

    Thank you



  • my mistake,
    the deny rule does not has the not in dst

    action Proto        Source              Port        Destination        Port          Gateway
    deny any          LAN subnet        *              my_nets          *              *
    allow TCP          LAN subnet        *              !my_nets          80              *


Locked