Lan,OPT1,OPT2 firewall rules

Hello
Im gonna set up a guest vlan (opt1) and a server vlan (opt2) and I want no access between the VLAN`s . Im gonna juse these rules for my firewall settings:
http://blog.stefcho.eu/wp-content/uploads/2011/06/pfSense-2.0-RC1-Configure-Captive-Portal-for-Guests-FireWall-Rules-00.png
Is there more ports/rules I need to get a full isolation between lan,opt1, and opt2 (can I juse the same rules for opt2 to get this full isolated from lan,and opt1)?

Thanks

stephenw10

That’s a strange set of rules, most of those are superfluous.
The default behaviour of the firewall is block everything. If you don’t add rules to an interface then no traffic can enter.
The LAN interface has a default rule, allow traffic from LAN to any, which allows traffic from clients on LAN to anywhere. This includes your other subnets/interfaces OPT1, OPT2 etc. Therefore in order to have isolation between subnets you need to have rules that only allow traffic with destination: somewhere on the internet.

I have a similar setup. I have two interfaces with wifi AP attached to them that have internet access but cannot access the other local subnets.
Here is what I did.
First, to make the rules easier to read and modify, I created an alias that contains all my local subnets. See pic attached.
Then I created a firewall rule that allows traffic from the interface subnet with destination not LOCAL. See pic attached. I have the gateway set because I am using multi-wan but leave it as default if not. In addition to that rule I have a rule to allow access to the DNS forwarder on my pfSense box. If you aren’t using the DNS forwarder you don’t need that but by default you will be.

Similar rules on your OPT1 and OPT2 interfaces will achieve the isolation you require. You will also have to modify the default LAN to any rule accordingly.

Steve

Hi

First thank you for your feedback.
That’s a strange set of rules, most of those are superfluous.
1.The default behaviour of the firewall is block everything. If you don’t add rules to an interface then no traffic can enter.
Without some form of firewall rules, I tried to access a machine on Lan from OPT1 this went through souldn this be disallowed as default?
2.The LAN interface has a default rule, allow traffic from LAN to any, which allows traffic from clients on LAN to anywhere. This includes your other subnets/interfaces OPT1, OPT2 etc. Therefore in order to have isolation between subnets you need to have rules that only allow traffic with destination: somewhere on the internet.
Ok, is the only thing I have to do is to use the last rule in your wifi2rules.jpg on all my LAN`S including default LAN to block acess between them?
3.I have a similar setup. I have two interfaces with wifi AP attached to them that have internet access but cannot access the other local subnets.
4.Here is what I did.
First, to make the rules easier to read and modify, I created an alias that contains all my local subnets. See pic attached.
Then I created a firewall rule that allows traffic from the interface subnet with destination not LOCAL. See pic attached. I have the gateway set because I am using multi-wan but leave it as default if not. In addition to that rule I have a rule to allow access to the DNS forwarder on my pfSense box. If you aren’t using the DNS forwarder you don’t need that but by default you will be.
With the rules I linked to in my first post I didnt need the DNS forward rule you have set up, it worked without!
5.Similar rules on your OPT1 and OPT2 interfaces will achieve the isolation you require. You will also have to modify the default LAN to any rule accordingly.
Do I use the last rule on deafult LAN (wifi2rules.jpg) to prevent deault Lan users to acess OPT1 and OPT2?
Why do I need rules for my default LAN when I have added a rule for my op1 and opt2 to not acess the defalut lan, shouldt the block work both ways?
6.Is there more rules I need to set a server on one of my OPT lans? Is it only to add the ports I want outside (wan) to the OPT lan interface afterwards?
7. I cant see that you have blocked acess to your web gui?
8. Why isnt pfense like smoothwall and ipcop, there is it possible to set up red,green (local lan) orange (servers) purple? (guest lan)

Thanks!

wallabybob

@Bebopper:

5.Similar rules on your OPT1 and OPT2 interfaces will achieve the isolation you require. You will also have to modify the default LAN to any rule accordingly.
Do I use the last rule on deafult LAN (wifi2rules.jpg) to prevent deault Lan users to acess OPT1 and OPT2?
Why do I need rules for my default LAN when I have added a rule for my op1 and opt2 to not acess the defalut lan, shouldt the block work both ways?

I suggest you retain the default LAN firewall rule and add rules “above” the default to block unwanted access from LAN. In pfSense firewall rules are applied on the interface on which the connection is received and processed “top down” until the incoming connect matches a rule. A firewall rule on OPT1 can’t block connections entering the firewall on the LAN interface. Secondly, “asymmetric” blocking behaviour is often required: for example, allow everything from LAN to WAN, block everything from WAN to LAN.

@Bebopper:

6.Is there more rules I need to set a server on one of my OPT lans? Is it only to add the ports I want outside (wan) to the OPT lan interface afterwards?

Perhaps you want port forwards to direct incoming connections on the WAN interface to a particular ports to particular port specific servers. Once such port forwards are setup appropriate firewall rules are also setup.

stephenw10

@Bebopper:

8. Why isnt pfense like smoothwall and ipcop, there is it possible to set up red,green (local lan) orange (servers) purple? (guest lan)

Ah good question!
Because pfSense is a far more scalable and flexible firewall.
In pfSense you are not limited to one ‘orange’ interface and one ‘green’. Any interface can be a LAN or DMZ (or WAN) depending on how you configure it.

Would it be possible to edit your post above to separate my post from your responses? I am struggling to read it.

Steve

Hi

First thank you for your feedback.
That’s a strange set of rules, most of those are superfluous.
1.The default behaviour of the firewall is block everything. If you don’t add rules to an interface then no traffic can enter.
Without some form of firewall rules, I tried to access a machine on Lan from OPT1 this went through souldn this be disallowed as default?
2.The LAN interface has a default rule, allow traffic from LAN to any, which allows traffic from clients on LAN to anywhere. This includes your other subnets/interfaces OPT1, OPT2 etc. Therefore in order to have isolation between subnets you need to have rules that only allow traffic with destination: somewhere on the internet.
Ok, is the only thing I have to do is to use the last rule in your wifi2rules.jpg on all my LAN`S including default LAN to block acess between them?
3.I have a similar setup. I have two interfaces with wifi AP attached to them that have internet access but cannot access the other local subnets.
4.Here is what I did.
First, to make the rules easier to read and modify, I created an alias that contains all my local subnets. See pic attached.
Then I created a firewall rule that allows traffic from the interface subnet with destination not LOCAL. See pic attached. I have the gateway set because I am using multi-wan but leave it as default if not. In addition to that rule I have a rule to allow access to the DNS forwarder on my pfSense box. If you aren’t using the DNS forwarder you don’t need that but by default you will be.
With the rules I linked to in my first post I didnt need the DNS forward rule you have set up, it worked without!
5.Similar rules on your OPT1 and OPT2 interfaces will achieve the isolation you require. You will also have to modify the default LAN to any rule accordingly.
Do I use the last rule on deafult LAN (wifi2rules.jpg) to prevent deault Lan users to acess OPT1 and OPT2?
Why do I need rules for my default LAN when I have added a rule for my op1 and opt2 to not acess the defalut lan, shouldt the block work both ways?
6.Is there more rules I need to set a server on one of my OPT lans? Is it only to add the ports I want outside (wan) to the OPT lan interface afterwards?
7. I cant see that you have blocked acess to your web gui?
8. Why isnt pfense like smoothwall and ipcop, there is it possible to set up red,green (local lan) orange (servers) purple? (guest lan)

Thanks!

@stephenw10:

@Bebopper:

8. Why isnt pfense like smoothwall and ipcop, there is it possible to set up red,green (local lan) orange (servers) purple? (guest lan)

Ah good question!
Because pfSense is a far more scalable and flexible firewall.
In pfSense you are not limited to one ‘orange’ interface and one ‘green’. Any interface can be a LAN or DMZ (or WAN) depending on how you configure it.

Would it be possible to edit your post above to separate my post from your responses? I am struggling to read it.

Steve

Yes but it have been nice if it have been a extra option. pfense should make some “default” settings

pfsense should have different default settings remain in the software so that we novices could use these and set up the red, green, orange (separate network) autmatic!. It can not possibly take much room to put this in pfsense so that it supposedly fast and easy to get a “standard” firewall to the home. For example red: wan, green: isolated local network, blue: isolated guest net, orange: isolated server, so it could possibly several types of each set by how many network cards you then had available in the firewall! but believe most people are looking for the solution that I describe here! It should be mentioned that this should have every opportunity to just load the layout you want! Certainly someone on the forum would like to create something like this: P?

thanks

stephenw10

@Bebopper:

Without some form of firewall rules, I tried to access a machine on Lan from OPT1 this went through souldn this be disallowed as default?

If you have no firewall rules on OPT1 at all you should not be able to access anything from OPT1. Everything is blocked by default. If you have recently removed rules you may have to clear the state table or reboot.

@Bebopper:

Ok, is the only thing I have to do is to use the last rule in your wifi2rules.jpg on all my LAN`S including default LAN to block acess between them?

Yes that will block access between them because it only allows access to not LOCAL addresses.

@Bebopper:

With the rules I linked to in my first post I didnt need the DNS forward rule you have set up, it worked without!

That’s because those rules do not block access to the DNS forwarder. In that case you are allowing access to everywhere that is not LAN, that includes the DNS forwarder at the GUEST address.

@Bebopper:

Do I use the last rule on deafult LAN (wifi2rules.jpg) to prevent deault Lan users to acess OPT1 and OPT2?
Why do I need rules for my default LAN when I have added a rule for my op1 and opt2 to not acess the defalut lan, shouldt the block work both ways?

You can use the same !LOCAL rule on LAN or as Wallabybob said above you can leave the default rules and add specific block rules above it. Personally I prefer to have as few rules as I can to achieve the same result.
The existing rules on OPT1-2 will not block traffic from LAN because the firewall rules only filter packets coming into the interface. Once a packet is inside pfSense it can exit on any interface.

@Bebopper:

6.Is there more rules I need to set a server on one of my OPT lans? Is it only to add the ports I want outside (wan) to the OPT lan interface afterwards?

As Wallabybob said if you want to run, for example, a web server and have it publically available you need to setup a port forward which will add the appropriate firewall rules for you.

@Bebopper:

7. I cant see that you have blocked acess to your web gui?

I have allowed access only to addresses which are not local (!LOCAL). Since the pfSense webGUI is a local address it is blocked.

It is very unlikely that you will every pfSense using ‘colours’ for interfaces. It is considered somewhat crude. A bit ‘my first firewall’!
The default setup is one WAN and one LAN in which the firewall rules and DHCP server are all setup for you. I suppose it could be possible to choose from a number of common templates when you install to get you started. As I said pfSense is far more scalable, you can’t please everyone all the time, colour coded interfaces just don’t make sense on a box with 50 interfaces.

Steve

k6usy

It can also be useful to put Reject all rules at the end of the list of rules for internal interfaces. This is to catch packets not allows but another rule up the list. I do this so connection attempts to other interfaces are actively rejected and you don’t have to wait for things to time out. The default blocking rules for traffic coming in from the internet is good; you don’t want to send reject packets over the internet. Not saying everyone needs to do this; just what I prefer.

Ok

Can I use this adresses for my isolated lans:
Lan:192.168.1.1/24 netmask 255.255.255.0
Opt1:192.168.2.1/24 netmask 255.255.255.0
Opt2:192.168.3.1/24 netmask 255.255.255.0

Or do I need to spread them more, and use different netmask?

Thanks

wallabybob

If you expect to have more than about 250 computers on any of those LANs you will need to adjust the netmask to accommodate the additional computers and possibly adjust the base address of the network on some networks.

Ok

So the netmask cannot be hacked in anyways? Its “hidden” for the users and cannot transport anything?

Thanks!

stephenw10

Nope.
I think you may have misunderstood what the netmask is.
The netmask is simply how the IP protocol defines the subnet that each machine is in, what other addresses it can talk to. See: http://www.computerhope.com/jargon/n/netmask.htm

Steve