Rule to allow guest-net access internet only?

token47 · Aug 30, 2012, 4:45 AM

Hello!

I have a pfSense 2.0.1 with 4 interfaces, them being WAN, LAN, LAN2 and GUEST. WAN have some portforwards (all working), LAN and LAN2 can access everything, and I would like to make GUEST network to access the internet only.

The problem is that while making LAN access everything is pretty easy, I'm having a hard time to create a rule that would allow guests to access only internet.

I cannot put a rule in the GUEST tab of rules page because I don't know the destination, and it won't allow me to specify the WAN interface as the destination. I would specify ANY as destination, obviously, but then the guests would be allowed to access my LANs as well. I could put a block before that rule, blocking access to my LAN/LAN2 net and then permitting the rest, but that would be difficult to maintain as I would have to list all my LANs interface's subnets and all the other subnets routed though them (with static routes), and keep changes every time I create a new network that would be routed through LAN or LAN2 interface or create another interface on the firewall. Also there are some dynamic interfaces as VPNs that make it difficult to know every possible IPs to block. I would really like to just say "pass all packets with WAN interface as destination", much much much simpler.
If I put the rule in the FLOATING tab instead, I can specify WAN as the destionation interface, and I can specify that I want "out" as direction. Perfect!! But it does not work. Literature on this is very scarce but I read about packets being natted already when this king of rule is reached by the packets. And as I have only one external IP, I cannot diferentiate the packets coming from GUEST net if they are already natted, so not useful (I wonder if this is useful for anyone). Also, I cannot believe that packets are natted on direction out on WAN interface, because they are already de-natted in the "in" direction, so it would be an inconsistency.

So… no dice? Tha should be pretty simple to configure. I was using a linux firewall until now and that could be done with a "-o ethX" option on the iptables line. Is there equivalent on pfsense?

Thanks!
Andre

SeventhSon · Aug 30, 2012, 9:18 AM

You would create floating rules:
DENY from GUEST SUBNET to LAN SUBNET
DENY from LAN SUBNET to GUEST SUBNET
and so on

jimp · Aug 30, 2012, 12:59 PM

It can also be done with non-floating rules, but floating rules do work well and can be easier.

Firewall > Aliases - make an rfc1918 alias, include 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12

And on the interface:

Pass any from guest subnet to the services on the firewall they need to hit (maybe just tcp/udp 53 for DNS, maybe icmp, etc)
Block any from guest subnet to the firewall's IP on guest subnet
Pass any from guest subnet to guest subnet
Block any from guest subnet to rfc1918
Pass any from guest subnet to any