Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Allow-all to Internet but deny traffic between LANs: is there a better way?

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      pvz
      last edited by

      I currently have a pfSense set up in a deployment where I have multiple LAN subnets connected to the same pfSense box as well as one connection to the Internet. Each LAN subnet belongs to a different customer and these customers should be isolated from each other. At the same time, these subnets should be permitted access to other machines on the Internet.

      The way I've hacked this together for now, which is working, although it's a kludge, is that I have an alias for RFC1918 addresses. When I want to permit traffic "to the internet" i just do Destination Address ≠ RFC1918. Now, this works, but it's a bit of a kludge. It only works as long as all the LAN subnets are in fact NAT:ed RFC1918 subnets, for one, which may not always be the case.

      I can see a few possible alternative ways of solving this.

      0. Do nothing, just keep it the way it is.

      It works, and is mostly predictable as long as you keep in your mind not to attach any non-RFC1918 subnets (except for the WAN side of course) to the firewall. When the time comes to migrate to IPv6, you might instead exclude the supernet for your ISP allocation from your default-allow.

      1. Use policy routing in your default-allow rule to force any default-matched traffic to exit on the WAN gateway.

      This has a few problems however, most specifically, it won't work with a multi-WAN scenario. And in general just using policy routing in such a blanket manner to me at least is inviting problems and causing a solution that doesn't work in a way you might expect.

      2. Try to use floating rules

      The problem with Floating Rules is that it seems that you can select either to match the ingress interface or the egress interface, but it's not possible to specify both. So you'd have to have a common policy for WAN access across all customers, which might not be what you want.

      3. Add support for filtering on egress interface when adding a firewall rule

      This to me would seem to be the best solution that would actually let you accomplish what I want to do. Unfortunately, it also means development work, maintaining a fork of pfSense internally until such time that it reaches upstream and all the headaches that includes.

      At the moment option 3 seems like the nicest option. Is there an option 4 or above that I'm missing? (Excluding for the purposes of this discussion the possibilities of using seperate pfSense instances for every customer, or using some other solution than pfSense.)

      1 Reply Last reply Reply Quote 0
      • P Offline
        podilarius
        last edited by

        Well, I would have an alias for each subnet. In that I would put the IP ranges of all the other LANs. I would then create a rule on that LAN that says !MyLANAlias, allow. This will block all access between the LAN but allow traffic to the internet.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.