Default firewall rules

  • Hello,

    This is a very basic question from someone who has just starting using pfsense today (which so far has been extremely easy to setup, configure and get working - well done to the pfsense people!)

    My office has a 100 Mbps internet connection and we use Juniper SSG firewalls for LAN protection.

    A requirement has come up to have an external WiFi network put in place but the IT Policy says that this is a no go on the network, hence the installation of a PC running pfsense.

    The setup is as follows:

    Internet –-- Juniper SSG ---- LAN ---- devices
                ---- nic1 pfsense box nic2 ---- Wireless Access Point ---- devices (so the pfsense WiFi network bypasses the Juniper SSG firewalls)

    I have put a rule in place to limit the up and download speeds through the pfsense box to 20 Mbps and this works fine, as does the Wireless Access Point.

    All I have in the Firewall Rules are:

    RFC 1918 networks - block
    Reserved/not assigned by IANA - block

    Anti-Lockout Rule - allow
    Default allow LAN to any rule - allow
    20 Mbps Upload / Download Limiter - the rule described above

    My questions:

    1. Are the default firewall rules on the pfsense box sufficient protection to the WiFi connected devices? 
    2. Or should I configure something more? 
    3. I have some users who connect their laptops to the Wireless Access Point at times, and to the LAN by cable at other times, what happens is that because they auto join the WiFi, when they are connected to the LAN by a cable, they sometimes also connect to the WiFi at the same time - does this present any security risks to the LAN (ie: they are connected to the WiFi which essentially "starts" before the Juniper SSG firewalls, which passes through to the pfsense box, then to the laptop, while the laptop is also connected to the LAN)?


  • It seems I have found the answer to my own question…

    Under Firewall Rules: WAN

    It clearly states:

    No rules are currently defined for this interface
    All incoming connections on this interface will be blocked until you add pass rules

    So I guess that's it, everything incoming on that interface is blocked, which is all I want.

    If I am incorrect, please correct me?

  • Correct - everything is blocked by default (effectively an unseen block all rule at the end of this list on every interface). To pass anything, a pass rule has be added.
    On the risks of laptops connect to WiFi and LAN - the laptops don't act as routers, so they can't be used by other unknown-status guest systems that might be on the WiFi, to route through to the LAN.
    If the dual-connected laptop has a virus itself, then it is a problem connecting to the LAN in any case - whether it also connects to the WiFi at the same time. So I can't see how the scenario described increases risk to the LAN.

  • I believe the risk would be in the LAN being accessible from a parking lot as opposed to a physical connection. There's nothing wrong with his setup performance wise, and so long as devices on the access point doesn't need resources on the LAN side he's ok.

    @OP Your setup will give wifi users unrestricted access to the internet. Life only becomes more interesting when you want said wifi devices to have access to resources on the LAN (exchange/shares whatever). You could take it a step further, and add a portal page so users have to log in - gives you the ability to do some tracking by login if interested. Or create a voucher system so before somebody can use the wifi, they must speak to somebody in IT. Gives that "I'm watching you" impression lol.

  • This is very dangerous and SHOULD NOT BE DONE!.  No client should ever be allowed to connect to both the internal LAN and Internet at same time.  I realize that by default it doesn't route.  But with a sizeable deployment it will happen.  People like to play.  And they will.

    Your WiFi Internet access should be for personal devices only.  And require registration.  Or specific devices for a dedicated business purpose.  Remember this is a business environment.  Not your home.

    You're playing with fire.  And there is no hydrant in the vicinity.

    Do NOT do this without written permission signed by those with sufficient authority to cover you when the crown jewels are lost/compromised.

  • "what happens is that because they auto join the WiFi, when they are connected to the LAN by a cable, they sometimes also connect to the WiFi at the same time"

    Yea I somehow missed this entirely. Indeed it is a very bad practice and sort of negates having the wifi separate from your LAN. Beyond security risks, you're also looking at possible routing issues as well, where the laptop may split traffic up. I've seen scenarios like this where the laptops try reaching local resources over the wifi etc…

    You could be victim to somebody breaking into the wireless, taking over a client who is connected both by LAN and wifi and then gaining access to the LAN. But that's a lot of what if's.

    This is where the portal page may be useful, give warnings / disclaimers to employees about having both connected. Create timed sessions so they're forced to log back in after xx minutes/hours of inactivity.

    If it's a windows 7 environment, you can push via group policy that LAN wins and deactivate wifi upon a LAN connection.

  • @heavy1metal:

    If it's a windows 7 environment, you can push via group policy that LAN wins and deactivate wifi upon a LAN connection.

    Even this can be defeated if they are able to set up a bridge.  I've done it for purpose of sniffing LAN traffic on a switch probe port while maintaining network connectivity via WLAN (WiFi).  For my purpose I remove the devices from the bridge so there is no route between them.  But it allows both LAN and WiFi to stay active at the same time.

  • Thanks all for your comments.

    To heavy1metal, I thought it would be possible to force via Group Policy something that gives LAN connections priority over WiFi connections when a cable is connected, however I do not see where this is, can you point me in the right direction please?  I have 2008 R2 DC's.

    By the way, no users are admins, so they cannot change settings to their NIC's without the admin login, so setting up a bridge etc is very unlikely.

    Related to this, let's say, your office is in range of a completely separate, unsecured WiFi network, let's say a cafe or a shop.  Your users connect their laptops to this.  They also connect the the LAN by cable.  Surely this presents a problem then?  There must be a way around this scenario.

Log in to reply