Prevent traffic between subnets



  • What is the most efficient rule or rules to allow access to the Internet via the WAN,
    but prevent traffic between subnets on LAN, OPT1 & OPT2?

    Currently I have 3 rules on each interface (except WAN).

    1st rule blocks traffic to one of the other subnets
    2nd rule blocks traffic to the remaining subnet
    3rd rule passes traffic to any

    Is this the best way?



  • i am trying to do this as well

    I want to block traffic from LAN2 to LAN



  • With just 2 LAN subnets (example names LAN1 and LAN2) you can do it in 1 rule on each LAN:
    On LAN1 - pass all with destination not LAN2net
    On LAN2 - pass all with destination not LAN1net

    With more LANs it is trickier. e.g. LAN1, LAN2, LAN3, LAN4.
    Make aliases:
    A = LAN2+LAN3+LAN4
    B = LAN1+LAN3+LAN4
    C = LAN1+LAN2+LAN4
    D = LAN1+LAN2+LAN3

    On each LAN put a pass rule like:
    LAN1 - pass all with destination not A
    LAN2 - pass all with destination not B
    LAN3 - pass all with destination not C
    LAN4 - pass all with destination not D

    Or, make 1 alias for the whole private address space that you are going to use. e.g. if all your private subnets are in 10.0.0.0/8 then make an alias "Private10" for that. (this is where a built-in alias that covered the RFC1918 private address space would be a handy little time-saver) On each LAN add a rule:
    pass all with destination not Private10
    Warning: you still want to access the webGUI from somewhere. The anti-lockout rule should allow you in to LAN1. Add a pass rule for access to LAN1address, LAN2address, LAN3address, LAN4address ports as desired.



  • Phil is right on.  I personally don't like the pfSense firewall rules interface, as I think it can get confusing when you separate the rules by interface.  At the office, I'm used to managing Check Point security gateways, which use a unified rulebase.  You simply enter source, destination, ports, relevant VPN communities, pass/drop, track/log and install your policy.  The appliance figures out the interfaces in the background.

    Simply create a rule on each interface that has its respective LAN as the source, negate all other LANs for the destination, and permit whichever ports you need (likely only TCP 80, TCP 443, TCP/UDP 53, maybe TCP 20/21 for most basic web browsing and downloading).  One of the most important rules you need is the "drop all and log" rule, which should be the last rule on every interface.  This will be very important for diagnostics if you find that you're actually blocking a port that you need for something.



  • Thanks for the help!

    Maybe a good feature request would be…

    A built-in alias that includes all interface subnets excluding the WAN and the interface subnet the rule applies to.



  • It would be really cool if a single floating rule could be used to block traffic between non-wan interfaces.



  • @phil.davis:

    Or, make 1 alias for the whole private address space that you are going to use. e.g. if all your private subnets are in 10.0.0.0/8 then make an alias "Private10" for that. (this is where a built-in alias that covered the RFC1918 private address space would be a handy little time-saver) On each LAN add a rule:
    pass all with destination not Private10

    Would this prevent traffic sent to pfsense itself (x.x.x.1)? If so, would that be an issue?



  • As long as the LAN has the anti-lockout rule enabled, you still get access to the WebGUI.
    If you use my "Private10" method, then you might want pass rules above it to allow SSH to the pfSense LAN IP, and rules on other interfaces allowing traffic to pfSense LANn IP, if you want to be able to access the WebGUI from the  other LANs.



  • @coreybrett:

    @phil.davis:

    Or, make 1 alias for the whole private address space that you are going to use. e.g. if all your private subnets are in 10.0.0.0/8 then make an alias "Private10" for that. (this is where a built-in alias that covered the RFC1918 private address space would be a handy little time-saver) On each LAN add a rule:
    pass all with destination not Private10

    Would this prevent traffic sent to pfsense itself (x.x.x.1)? If so, would that be an issue?

    I have an alias with management ports (22 and webGUI port, in my case 81) and have a rule on my WLAN to reject access to those ports, with WLAN address as destination.



  • @coreybrett:

    What is the most efficient rule or rules to allow access to the Internet via the WAN,
    but prevent traffic between subnets on LAN, OPT1 & OPT2?

    we have defined an alias private => networks 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16,j 169,255.0.0/16
    and an alias allowed_servers => "internal IP of webservers and printers  who should be available on all networks"

    => every LAN gets an
    -  "allow * => !private        over GW GROUP" and
    -  "allow * => allowed_servers  over  *    " rule … thats it ...

    and special rules if we allow access from LANx to LANy further acces  (like LAN => telephone server) in needed LAN segments.

    Bests

    Reiner


Log in to reply