Block rule (simple…) help wanted



  • Hello all,

    I have an issue, I cannot make a simple block rule to work (I guess I cannot get the logic of it).

    Please check attached image.

    I have 2 networks (192.168.0.x and 192.168.1.x). I have a Mikrotik acting as router for both these networks. I need the Mikrotik to allowed only the ports 80 and 443 (for the users in that side have Internet access) and nothing else. When the rule work, I will put a schedule to it in order to be active only for specific hours (and blocked all the others).

    Mikrotik "internal" IP is 192.168.0.244 (here is that I need only ports 80 and 443 to be allowed)
    Mikrotik "external" IP is 192.168.1.244 (here are the "external" clients)

    I have read that pfsense needs to be restarted when creating rules for the states to get cleared?

    Best regards

    Kostas


  • LAYER 8 Global Moderator

    So your double natting?  Why I have to ask??  There is rarely a good reason to be double natting.

    Second you have a destination of Lan Net – so you want to block anything to lannet, then you want to allow 80 and 443?  How does that make sense to you??

    Then above that rule you have a rule that says Mikrotik can go anywhere it wants per that schedule..

    You allow first, then block!

    Rules go from top down.

    So you would allow mikrotik to go to 80 and 443 not lan net or !LANnet which would be the internet, then you would block it for everything.. So rule allows 80 and 443 so they could get out, but if going to say 21 then the block everything from mikrotik would be block them.

    What do you have in the alias?

    Mikrotik "internal" IP is 192.168.0.244 (here is that I need only ports 80 and 443 to be allowed)
    Mikrotik "external" IP is 192.168.1.244 (here are the "external" clients)

    What clients do you want to allow -- so you have this?

    public IP -- pfsense -- 192.168.1.0/? --- mikrotik --- 192.168.0.0/?

    So I am thinking 192.168.1.244 is the wan IP of mikrotik, and 192.168.1.? is pfsense lan IP??  But you only want to allow 192.168.0.0/24 clients to get to 80?  I am guessing your natting here and pfsense would never see 192.168.0.0/24 IPs??  Maybe your not natting and just routing?



  • Double NATting is bad, I know, so I will soon decommision the Mikrotik and use the pfsense for both these networks. But now I have to go with that…

    The scheduled rule is disabled, as you can see, and now the help needed is for the next 2 rules (with the green overlay).

    The Mikrotik alias is the internal IP of it (192.168.0.240).

    192.168.1.x clients -> mikrotik 192.168.1.244 - mikrotik 192.168.0.244 (NAT) - pfsense (192.168.0.239)

    Kostas


  • LAYER 8 Global Moderator

    "The Mikrotik alias is the internal IP of it (192.168.0.240)."

    And how will pfsense ever see traffic from 192.168.0.240??  You just stated that its IP on the 192.168.0.0/24 network is 192.168.0.244 - was that a typo?

    I already told you how to do rules!

    You allow, then block - and you rules say they can not go to ANYTHING on LANnet (which would include IP of pfsense) – Then you allow them which they would never get to that rule to talk to the pfsense IP on 80 or 443, but they want to talk to internet IPs on 80, 443 do they not?

    You don't block before you allow, how would they ever get to the allow rule???

    Here I will draw you a picture, if all your clients are behind a NAT of 192.168.0.244, and you want them only to go to 80, 443 then your rules would be like this.  Keep in mind how is 192.168.0.244 going to look up DNS to be able to go to the urls on 80 and 443.  You also have to allow them to use DNS (53 tcp/udp) or they have to be looking up dns some other way.  You have to allow them to say talk to pfsense lan IP on 53 so that pfsense can look up dns for it.

    If you then put that allow rule on a schedule, once the rule is off they would only hit the block rule.  Keep in mind that states already open would still be allowed.  So you might want to put in a cron job or something to reset your states at the time your schedule is OFF.

    And again - do not forget DNS, kind of a requirement to use the internet ;)

    BTW - your cutting off the rest of your rules, what are they?




  • You are right…

    192.168.0.244 is the address and not .240 (typo).

    I will add DNS to the list...

    Below are all my LAN rules.

    Where do I set cron jobs for states deletion and how to delete states by hand in order to test the rule? (However, my goal is no new states to be created by someone during the night, when the schedule occurs.)

    Best regards and thank you for your efforts.

    Kostas




  • Specifying the Source Port(s) in a firewall rule is almost always a mistake.



  • Thank you,

    So, I should permit -any- to -my desired- ports?

    Best regards

    Kostas


  • LAYER 8 Global Moderator

    So for states and schedules by default, atleast in 2.1 under advanced misc there is this check box, which is off by default

    By default schedules clear the states of existing connections when the expiration time has come. This option overrides that behavior by not clearing states for existing connections.

    So when your schedule to allow expires - all states should be clear, and since that rule is now now allowed no new states should be able to be created until the the schedule allows it again.  So you should be good from a states point of view

    Your rules are still wrong.  As stated above you normally never assign source ports, you never know what source port an application will be using, its normally random above 1023.  Should of pointed that out to you before, but since I showed you exactly how the rules should look ;)



  • @costasppc:

    Thank you,

    So, I should permit -any- to -my desired- ports?

    Best regards

    Kostas

    The Source Port should be * (Any) just like the rest of your rules.



  • Thanks John,

    They are still wrong indeed, I haven't touched them yet…
    ;D



  • So, here are my revised rules.

    Clients can access the Internet, but they can also access other services, which they should not (I have permitted only ports 80, 443 and 53 in the Aliases.

    I have to mention that I haven't cleared the states. Is that the reason that they can access ports that they should not?

    If I disable the pass rule, then the clients cannot use the ports mentioned (80, 443 and 53), but can use any other port.

    Best regards

    Kostas

    ![Screen Shot 2013-05-08 at 19.30.45 ?.?..png](/public/imported_attachments/1/Screen Shot 2013-05-08 at 19.30.45 ?.?..png)
    ![Screen Shot 2013-05-08 at 19.30.45 ?.?..png_thumb](/public/imported_attachments/1/Screen Shot 2013-05-08 at 19.30.45 ?.?..png_thumb)


  • LAYER 8 Global Moderator

    Do you have rules below there?  And what is your source alias Mikrotik consist of?

    Be default there should be a default BLOCK.. So if your saying stuff is still getting out - then I would have to assume you have some rule they are matching below what you posted, or there is a current state allowing it.



  • Thank you,

    Below is my setup and another image with all my LAN rules.

    Mikrotik has two interfaces, one for each network.

    When the states get cleared?

    Best regards

    Kostas





  • LAYER 8 Global Moderator

    Are these your current rules??

    You have webports as source for your allow rule there for mikrotik - there is like almost never a time that you setup a source port in a rule..  And only too pfsense lan address??  When is that going to happen when they want to access the web gui of pfsense..

    What happened to your deny all for mikrotik??

    I didn't ask how many interfaces your mikrotik had – I asked what is in the alias??  Your mikrotik is doing NAT -- so your source IP should be from your drawing 192.168.0.244, use the IP vs an alias - for all I know your alias is not resolving, etc.



  • The shot form the LAN rules was the old one (with the source ports).

    Here is the correct one.

    Yes, the Alias is the IP of the Mikrotik for the network that I need to protect (192.168.0.244).

    I will remove the alias and use the IP instead, if this is better.

    Best regards

    Kostas



  • LAYER 8 Global Moderator

    still shows your alias vs actual IP.. And since you have a default allow at the bottom - if your alias is not correct or doesn't match for some reason when it hits the bottom it would be allowed out.



  • I have changed it now, but I am sure it does resolve fine.

    So, maybe I am doing it wrong, but here is how I check:

    I am checking port 548 TCP (AFP) from a machine of the 192.168.1.x network to a machine in the 192.168.0.x network, in order to see if blocking works, and since we have allowed only 80, 443 and 53, it supposed to not have access.

    But it has.

    Kostas


  • LAYER 8 Global Moderator

    Your not checking right..  pfsense has nothing to do with your access from mikrotk to 192.168.0.x/24 that rule would have to be put on the mikrotk.

    The only time your pfsense rule would come into play is when your using it as gateway off the 192.168.0 - so your on the 192.168.1.x and gateway off that is your mikrotik router..  and your trying to go to 192.168.0 – says great I have interface in that network and sends the packets on.  Pfsense is not aware of that traffic at all.  Pfsense is only aware of traffic this trying to leave the 192.168.0 network or is directed to its address on the 192.168.0.



  • Thank you,
    So this clarifies the thing. I thought that, since Mikrotik has pfsense as its gateway, pfsense could "filter" the traffic from its ip to the mikrotik ip.

    If mikrotik was out of the equation, and had two "LAN" interfaces in the pfsense, I guess I could filter the traffic between those two?

    Best regards

    Kostas


  • LAYER 8 Global Moderator

    exactly if you had 192.168.0 on 1 and 192.168.1 on other so that pfsense is router between the segments - then sure you could filter traffic between those 2 segments.


Log in to reply