Seemingly simple firewall rules between VLANS



  • Gday All,

    Setup a PF build on some SandyBridge gear and some VLAN capable switches and the functionally has been blowing my mind. it has absorbed many weekends.

    I have some major gaps of understanding of firewall rules though. Have poured over the "definitive guide" plus a few other books as well as the Pf wiki and these forums. Have spent dozens of hours tweaking, testing, tweaking but still I’m missing something(s) The below being so basic has driven me to keep looking but alas, i think i may go nuts :)

    I have an Intel NIC set as WAN and another with a bunch of VLANS setup. The VLANs seem to be setup fine and have been working well for weeks through two HP 1810G's, its time to start fine tuning traffic between them.

    Ill outline basic a scenario that if I can get some help on will help with a few of these missing bits. I hope I don’t scare any potential helpers off by the size of the post, but I shall be precise and clear as possible with my questions :)

    There is a machine on VLAN interface LAN2 being handed 192.168.2.2 by DHCP
    I’m on a machine on VLAN LAN on 192.168.1.7. This is the interface I associated with the WAN on first setup.
    Being bit by the "stored states" when changing rules and using ping to test the effectiveness, I have just resorted to running uTorrent on the 2.2 machine with web gui, and then i hit a shortcut set to force that URL open in Internet Explorer so i can close, open, close, open to test (apologies of the noobness, but it works)

    1 - I can connect into 2.2 from 1.7 with NO rules setup on the LAN2 interface? To block this i would have thought logically I could stick a "block any to LAN2" rule on the LAN2 tab. This doesn’t work though. From documentation it seems one needs to create the rule on the interface from where the traffic is coming. In this case (as im on LAN, 1.7) this means putting a "block *  *  *  LAN2 net *  * none" in the LAN interface tab, above the default PF rule "allow  *  LAN net *  *  *  * none".. this works fine in practice.

    Q1 - Is this by design, or am i doing it wrong? I fear that if another VLAN is created, it has full access into LAN2 by default, until i put the above rule in its tab. If that rule gets disabled, or moved, I get traffic leakage into LAN2 (I admin this pfsense box with a housemate)

    2 - The 2.2 machine on LAN2 can’t reach the WWW nor any machine on LAN, cool. I fix that via adding a "allow  *  LAN2 net *  *  *  * none " but this allows access back into LAN as, which I don’t want.

    Q2 - Is this the best way to allow JUST www access to that subnet? It doesn’t work if I go “ allow * LAN2 net *  WAN net *  *  none “

    Q3 - If that rule is correct, then how do i block access back to the LAN network? I understand rules are run from top to bottom with the "widest" (bad terminology) at the base and then tweaks above it.

    Any assistance in terms of direct answers, concepts or points to documentation would be HUGELY appreciated!

    Thanks so much in advance

    Michael



  • 1- Q1 … Yes, pfSense applies first matching rule from the top down. This means that if a block rule is above a pass rule, the traffic will be blocked. The default rule allows traffic from LAN net to anywhere.

    Q2 - WAN net is just the WAN network and not the internet. Best rule here is what we call a "not" rule ... Meaning that is would be Allow * LAN2 net * !LAN net * ... This would say to allow any traffic that is not destined for LAN net. Meaning the internet. Or you can create a default allow rule like LAN and put a block rule above it to LAN net. Both methods accomplish the same thing.

    Q3 - Since the rule is incorrect, you need to adjust it to one of the methods above.

    Also, if you have changed outbound NAT any, you would need to adjust the subnets that are NATing. Automatic should work, but would test to make sure. I would even reboot before I went and used manual.

    If you have the book, everything you need for this type of setup is in there.



  • Thanks so much for your response podilarius!

    @podilarius:

    If you have the book, everything you need for this type of setup is in there.

    You would think so but iv read most of it twice, and the firewall section inst as helpful as i would have thought (maybe im just stupid'r) Lots of definitions of settings but no examples of how one would "layer or stack" them to achieve certain things.

    I will test your suggestions tonight

    Cheers

    M



  • Ok so i have played around with the "not" functionality of PF rules, and it works wel, but i still have a seemingly basic question.

    1 - In my above example where i have a vlan called "LAN2", I can allow it internet access but NOT access to LAN via the "allow * LAN2 * !LAN net * * non" which works, cool.

    Getting closer to my required configuration though, i want to allow it access to the internet and only that. I have have blocked all access into LAN2 via block rules on every other adaptor, but i cant figure out the rule required on the LAN2 interface that allows ONLY internet access and no other access to any other vlan :(

    Is the only way to allow LAN2 to * and then create multiple block rules above it for every existing vlan? Seems messy, surely i can allow LAN2 to only the vlan / interface that i need to ONLY get internet access.

    Again, dearly appreciate any input



  • I use aliases

    Network alias: including all other vlan subnets than the origin vlan if you have same vlan on multiple interfaces
    Rule: Allow * LAN2 to !"YOUR NEW ALIAS" * *



  • If you didn't want to use a "not" rule, then you would create an allow all, then use a block rule above it with an alias to all other networks.



  • Thanks Metu69salemi, but i dont see how alias's allow LAN2 access to the internet, and NO other VLAN.
    For all intensive purposes, i have blocked traffic from every vlan into this one. I have also blocked traffic leaving LAN2, going to ever other.
    I now only want to give this vlan internet access.

    It seems like it should be one rule?

    podilarius: Ahhh ok, so an allow, then many blocks above it is the only way? I thought there would be a single rule that would achive the same thing (I guess i thought it was as simple as "allow * LAN2 net * WAN net * * none"

    If that's the way people do it, then so be it!! Cant thank you enough for confirming!



  • This image might help you understand how aliases solve that:



  • rikar, I was just giving an alternative. GruensFroeschli gave a great example of Metu69salemi's suggestion. This is also the method I use. I have only 1 rule in the network I want to only give internet access. It is not quite as all encompassing as GruensFroeschli, but my alias does contain my other subnets. GruensFroeschli's is blocking access to all private ip ranges, which works very well.



  • Hi Guys,

    Finally had some more time to sit down with PF and both your comments and GruensFroeschli's screenshot have helped me understand how to set it up!

    Allow access to everywhere BUT an alias which contains all my internal LAN's.
    Then on top of top of that, im creating new rules to effectively "poke holes" through it for various services.
    So excited, thank you guys so much!!!
    _ Michael


Log in to reply