Multiple LANs to WAN on a local subnet - firewall rules
-
Hello,
I've got a question about how to organize my firewall rules for multiple LANs/Vlans on a 8 ethernet ports appliance with pfsense 2.0.1.
My configuration simplified is (actually, i've got 8 LANs and VLANs):
LAN1–---|-|
LAN2-----| |--- WAN --- ISP ROUTER --- INTERNETFor exemple :
LAN1 = 192.168.0.0/24
LAN2 = 192.168.1.0/24
WAN = 90.1.1.130/30
ISP router= 90.1.1.129/30My public address is 90.1.1.130 (the one i reach from outside)
In "System / Routing / Gateway", i've added the following default gateway :
name : WANGW (default)
interface : WAN
Gateway IP : 90.1.1.129Wan interface is set as follow : Static ... IP address = 90.1.1.253/30 Gateway = WANGW
so the question is :
On LAN interface, if i add the following rule :
Proto Source Port Destination Port Gateway
TCP LAN subnet * WAN Subnet 80 *HTTP still keep blocked, and i think because the firewall plays "Wan Subnet as only corresponding to the subnet 90.1.1.253/30
So if i want it to work, i need to use :
Proto Source Port Destination Port Gateway
TCP LAN subnet * * 80 *OK, but my problem is that with multi LANs, i need to add several rules to stop the trafic from LAN to other LANs.
Can i simplify this ? How to tell pfsense that the WAN subnet is corresponding to all subnets that are not on a LAN or VLAN interface and then beeing able to use the "WAN subnet" identification for my rules.
Or maybe i'm all wrong since the beginning, then tell me please, coz i've missed something…Many thanks in advance,
Regards,
Guillaume -
Create an alias with all your networks and then change dest ***** to dest not local network alias
Proto Source Port Destination Port Gateway
TCP LAN subnet * !my_nets 80 *or a rule before http rule
action Proto Source Port Destination Port Gateway
deny any LAN subnet * !my_nets * *
allow TCP LAN subnet * !my_nets 80 * -
That's what i was going to do, but i prefered ask before, then no other way…
Don't we need to place the allow TCP:80 rule before ? In your case, pfsense find the deny first, then it blocks...
action Proto Source Port Destination Port Gateway
deny any LAN subnet * !my_nets * *
allow TCP LAN subnet * !my_nets 80 *Thank you
-
my mistake,
the deny rule does not has the not in dstaction Proto Source Port Destination Port Gateway
deny any LAN subnet * my_nets * *
allow TCP LAN subnet * !my_nets 80 *