Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Lan,OPT1,OPT2 firewall rules

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 4 Posters 21.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      Guest
      last edited by

      Hello
      Im gonna set up a guest vlan (opt1) and a server vlan (opt2) and I want no access between the VLAN`s . Im gonna juse these rules for my firewall settings:
      http://blog.stefcho.eu/wp-content/uploads/2011/06/pfSense-2.0-RC1-Configure-Captive-Portal-for-Guests-FireWall-Rules-00.png
      Is there more ports/rules I need  to get a full isolation between lan,opt1, and opt2 (can I juse the same rules for opt2 to get this full isolated from lan,and opt1)?

      Thanks

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        That's a strange set of rules, most of those are superfluous.
        The default behaviour of the firewall is block everything. If you don't add rules to an interface then no traffic can enter.
        The LAN interface has a default rule, allow traffic from LAN to any, which allows traffic from clients on LAN to anywhere. This includes your other subnets/interfaces OPT1, OPT2 etc. Therefore in order to have isolation between subnets you need to have rules that only allow traffic with destination: somewhere on the internet.

        I have a similar setup. I have two interfaces with wifi AP attached to them that have internet access but cannot access the other local subnets.
        Here is what I did.
        First, to make the rules easier to read and modify, I created an alias that contains all my local subnets. See pic attached.
        Then I created a firewall rule that allows traffic from the interface subnet with destination not LOCAL. See pic attached. I have the gateway set because I am using multi-wan but leave it as default if not. In addition to that rule I have a rule to allow access to the DNS forwarder on my pfSense box. If you aren't using the DNS forwarder you don't need that but by default you will be.

        Similar rules on your OPT1 and OPT2 interfaces will achieve the isolation you require. You will also have to modify the default LAN to any rule accordingly.

        Steve

        aliases.jpg
        aliases.jpg_thumb
        wifi2rules.jpg
        wifi2rules.jpg_thumb

        1 Reply Last reply Reply Quote 0
        • ?
          Guest
          last edited by

          Hi

          First thank you for your feedback.
          That's a strange set of rules, most of those are superfluous.
          1.The default behaviour of the firewall is block everything. If you don't add rules to an interface then no traffic can enter.
          Without some form of firewall rules, I tried to access a machine on Lan from OPT1 this went through souldn this be disallowed as default?
          2.The LAN interface has a default rule, allow traffic from LAN to any, which allows traffic from clients on LAN to anywhere. This includes your other subnets/interfaces OPT1, OPT2 etc. Therefore in order to have isolation between subnets you need to have rules that only allow traffic with destination: somewhere on the internet.
          Ok, is the only thing I have to do is to use the last rule in your wifi2rules.jpg on all my LAN`S including default LAN to block acess between them?
          3.I have a similar setup. I have two interfaces with wifi AP attached to them that have internet access but cannot access the other local subnets.
          4.Here is what I did.
          First, to make the rules easier to read and modify, I created an alias that contains all my local subnets. See pic attached.
          Then I created a firewall rule that allows traffic from the interface subnet with destination not LOCAL. See pic attached. I have the gateway set because I am using multi-wan but leave it as default if not. In addition to that rule I have a rule to allow access to the DNS forwarder on my pfSense box. If you aren't using the DNS forwarder you don't need that but by default you will be.
          With the rules I linked to in my first post I didnt need the DNS forward rule you have set up, it worked without!
          5.Similar rules on your OPT1 and OPT2 interfaces will achieve the isolation you require. You will also have to modify the default LAN to any rule accordingly.
          Do I use the last rule on deafult LAN (wifi2rules.jpg) to prevent deault Lan users to acess OPT1 and OPT2?
          Why do I need rules for my default LAN when I have added a rule for my op1 and opt2 to not acess the defalut lan, shouldt the block work both ways?
          6.Is there more rules I need to set a server on one of my OPT lans? Is it only to add the ports I want outside (wan) to the OPT lan interface afterwards?
          7. I cant see that you have blocked acess to your web gui?
          8. Why isnt pfense like smoothwall and ipcop, there is it possible to set up red,green (local lan) orange (servers) purple? (guest lan)

          Thanks!

          1 Reply Last reply Reply Quote 0
          • W
            wallabybob
            last edited by

            @Bebopper:

            5.Similar rules on your OPT1 and OPT2 interfaces will achieve the isolation you require. You will also have to modify the default LAN to any rule accordingly.
            Do I use the last rule on deafult LAN (wifi2rules.jpg) to prevent deault Lan users to acess OPT1 and OPT2?
            Why do I need rules for my default LAN when I have added a rule for my op1 and opt2 to not acess the defalut lan, shouldt the block work both ways?

            I suggest you retain the default LAN firewall rule and add rules "above" the default to block unwanted access from LAN. In pfSense firewall rules are applied on the interface on which the connection is received and processed "top down" until the incoming connect matches a rule. A firewall rule on OPT1 can't block connections entering the firewall on the LAN interface. Secondly, "asymmetric" blocking behaviour is often required: for example, allow everything from LAN to WAN, block everything from WAN to LAN.

            @Bebopper:

            6.Is there more rules I need to set a server on one of my OPT lans? Is it only to add the ports I want outside (wan) to the OPT lan interface afterwards?

            Perhaps you want port forwards to direct incoming connections on the WAN interface to a particular ports to particular port specific servers. Once such port forwards are setup appropriate firewall rules are also setup.

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              @Bebopper:

              8. Why isnt pfense like smoothwall and ipcop, there is it possible to set up red,green (local lan) orange (servers) purple? (guest lan)

              Ah good question!  :)
              Because pfSense is a far more scalable and flexible firewall.
              In pfSense you are not limited to one 'orange' interface and one 'green'. Any interface can be a LAN or DMZ (or WAN) depending on how you configure it.

              Would it be possible to edit your post above to separate my post from your responses? I am struggling to read it.  ;)

              Steve

              1 Reply Last reply Reply Quote 0
              • ?
                Guest
                last edited by

                Hi

                First thank you for your feedback.
                That's a strange set of rules, most of those are superfluous.
                1.The default behaviour of the firewall is block everything. If you don't add rules to an interface then no traffic can enter.
                Without some form of firewall rules, I tried to access a machine on Lan from OPT1 this went through souldn this be disallowed as default?
                2.The LAN interface has a default rule, allow traffic from LAN to any, which allows traffic from clients on LAN to anywhere. This includes your other subnets/interfaces OPT1, OPT2 etc. Therefore in order to have isolation between subnets you need to have rules that only allow traffic with destination: somewhere on the internet.
                Ok, is the only thing I have to do is to use the last rule in your wifi2rules.jpg on all my LAN`S including default LAN to block acess between them?
                3.I have a similar setup. I have two interfaces with wifi AP attached to them that have internet access but cannot access the other local subnets.
                4.Here is what I did.
                First, to make the rules easier to read and modify, I created an alias that contains all my local subnets. See pic attached.
                Then I created a firewall rule that allows traffic from the interface subnet with destination not LOCAL. See pic attached. I have the gateway set because I am using multi-wan but leave it as default if not. In addition to that rule I have a rule to allow access to the DNS forwarder on my pfSense box. If you aren't using the DNS forwarder you don't need that but by default you will be.
                With the rules I linked to in my first post I didnt need the DNS forward rule you have set up, it worked without!
                5.Similar rules on your OPT1 and OPT2 interfaces will achieve the isolation you require. You will also have to modify the default LAN to any rule accordingly.
                Do I use the last rule on deafult LAN (wifi2rules.jpg) to prevent deault Lan users to acess OPT1 and OPT2?
                Why do I need rules for my default LAN when I have added a rule for my op1 and opt2 to not acess the defalut lan, shouldt the block work both ways?

                6.Is there more rules I need to set a server on one of my OPT lans? Is it only to add the ports I want outside (wan) to the OPT lan interface afterwards?
                7. I cant see that you have blocked acess to your web gui?
                8. Why isnt pfense like smoothwall and ipcop, there is it possible to set up red,green (local lan) orange (servers) purple? (guest lan)

                Thanks!

                1 Reply Last reply Reply Quote 0
                • ?
                  Guest
                  last edited by

                  @stephenw10:

                  @Bebopper:

                  8. Why isnt pfense like smoothwall and ipcop, there is it possible to set up red,green (local lan) orange (servers) purple? (guest lan)

                  Ah good question!  :)
                  Because pfSense is a far more scalable and flexible firewall.
                  In pfSense you are not limited to one 'orange' interface and one 'green'. Any interface can be a LAN or DMZ (or WAN) depending on how you configure it.

                  Would it be possible to edit your post above to separate my post from your responses? I am struggling to read it.  ;)

                  Steve

                  Yes but it have been nice if it have been a extra option. pfense should make some "default" settings

                  pfsense should have different default settings remain in the software so that we novices could use these and set up the red, green, orange (separate network) autmatic!. It can not possibly take much room to put this in pfsense so that it supposedly fast and easy to get a "standard" firewall to the home. For example red: wan, green: isolated local network, blue: isolated guest net, orange: isolated server, so it could possibly several types of each set by how many network cards you then had available in the firewall! but believe most people are looking for the solution that I describe here! It should be mentioned that this should have every opportunity to just load the layout you want! Certainly someone on the forum would like to create something like this: P?

                  thanks

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    @Bebopper:

                    Without some form of firewall rules, I tried to access a machine on Lan from OPT1 this went through souldn this be disallowed as default?

                    If you have no firewall rules on OPT1 at all you should not be able to access anything from OPT1. Everything is blocked by default. If you have recently removed rules you may have to clear the state table or reboot.

                    @Bebopper:

                    Ok, is the only thing I have to do is to use the last rule in your wifi2rules.jpg on all my LAN`S including default LAN to block acess between them?

                    Yes that will block access between them because it only allows access to not LOCAL addresses.

                    @Bebopper:

                    With the rules I linked to in my first post I didnt need the DNS forward rule you have set up, it worked without!

                    That's because those rules do not block access to the DNS forwarder. In that case you are allowing access to everywhere that is not LAN, that includes the DNS forwarder at the GUEST address.

                    @Bebopper:

                    Do I use the last rule on deafult LAN (wifi2rules.jpg) to prevent deault Lan users to acess OPT1 and OPT2?
                    Why do I need rules for my default LAN when I have added a rule for my op1 and opt2 to not acess the defalut lan, shouldt the block work both ways?

                    You can use the same !LOCAL rule on LAN or as Wallabybob said above you can leave the default rules and add specific block rules above it. Personally I prefer to have as few rules as I can to achieve the same result.
                    The existing rules on OPT1-2 will not block traffic from LAN because the firewall rules only filter packets coming into the interface. Once a packet is inside pfSense it can exit on any interface.

                    @Bebopper:

                    6.Is there more rules I need to set a server on one of my OPT lans? Is it only to add the ports I want outside (wan) to the OPT lan interface afterwards?

                    As Wallabybob said if you want to run, for example, a web server and have it publically available you need to setup a port forward which will add the appropriate firewall rules for you.

                    @Bebopper:

                    7. I cant see that you have blocked acess to your web gui?

                    I have allowed access only to addresses which are not local (!LOCAL). Since the pfSense webGUI is a local address it is blocked.

                    It is very unlikely that you will every pfSense using 'colours' for interfaces. It is considered somewhat crude. A bit 'my first firewall'!  ;)
                    The default setup is one WAN and one LAN in which the firewall rules and DHCP server are all setup for you. I suppose it could be possible to choose from a number of common templates when you install to get you started. As I said pfSense is far more scalable, you can't please everyone all the time, colour coded interfaces just don't make sense on a box with 50 interfaces.

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • K
                      k6usy
                      last edited by

                      It can also be useful to put Reject all rules at the end of the list of rules for internal interfaces.  This is to catch packets not allows but another rule up the list.  I do this so connection attempts to other interfaces are actively rejected and you don't have to wait for things to time out.  The default blocking rules for traffic coming in from the internet is good; you don't want to send reject packets over the internet.  Not saying everyone needs to do this; just what I prefer.

                      1 Reply Last reply Reply Quote 0
                      • ?
                        Guest
                        last edited by

                        Ok

                        Can I use this adresses for my isolated lans:
                        Lan:192.168.1.1/24  netmask 255.255.255.0
                        Opt1:192.168.2.1/24 netmask 255.255.255.0
                        Opt2:192.168.3.1/24 netmask 255.255.255.0

                        Or do I need to spread them more, and use different netmask?

                        Thanks

                        1 Reply Last reply Reply Quote 0
                        • W
                          wallabybob
                          last edited by

                          If you expect to have more than about 250 computers on any of those LANs you will need to adjust the netmask to accommodate the additional computers and possibly adjust the base address of the network on some networks.

                          1 Reply Last reply Reply Quote 0
                          • ?
                            Guest
                            last edited by

                            Ok

                            So the netmask cannot be hacked in anyways? Its "hidden" for the users and cannot transport anything?

                            Thanks!

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S
                              stephenw10 Netgate Administrator
                              last edited by

                              Nope.
                              I think you may have misunderstood what the netmask is.
                              The netmask is simply how the IP protocol defines the subnet that each machine is in, what other addresses it can talk to. See: http://www.computerhope.com/jargon/n/netmask.htm

                              Steve

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.