Guest Network

Mysteerie

I removed the first two rules.

Though I did have a couple more questions:

My pass rules on OPT1 works with the following setting:
(PASS)    IPv4 *    OPT1 net    *    *            *    *           none

Though, when I change it following, it will no longer work:
(PASS)    IPv4 TCP    OPT1 net    *    *            80 (HTTP)   *           none    
OR
(PASS)    IPv4 TCP    OPT1 net    *    *            *    *           none

My visitors only need access to websites. Which is why I am trying to restrict to port 80. I also reset states after modifying the rules.

2. Would a vlan bring any extra security in my setup?

kejianshi

You guests don't plan to do any banking, chatting, emailing etc?  No HTTPS sites?

Are they in need of media?  No hulu?  No youtube?  No online music?

Mysteerie

They will need that stuff and I will open those ports.

I am just doing port 80 first as a test.

But yea, the rule doesn't work if I specify a Protocol (e.g. TCP). Am I missing something?

kejianshi

Try this.

Put your pass all rule back in to the firewall rules for opt1.  The rule that works.

Then create a new rule and put it before the pass all rule.

Make that new rule to block all that is not HTTP (port 80).

Basically you will be creating the same rule you have that isn't working, making it come right before your pass all rule only make it block instead of pass and click the "invert sense" button" in that destination and make sure its HTTP.

Understand?

wallabybob

@Mysteerie:

But yea, the rule doesn't work if I specify a Protocol (e.g. TCP). Am I missing something?

Did you reset states after adding the rule? See Diagnostics -> States, click on Reset States tab, read and then click on the Reset button.

Forgetting to do this has tripped me up a number of times.

cmb

Only allowing TCP won't allow DNS. You'll be able to browse to HTTP by IP only with the above TCP-only rules.

kejianshi

So, he would at minimum have to allow port 53, allow ports 80 and 443 and allow all the ports above the service ports 1024-65535 and block specific ports associated with specific protocols he didn't want then?  Like P2P or whatever?
Any more service ports that should be allowed?

kejianshi

So, based on the reply that you are blocking DNS, I got to looking at ports in common usage that are somewhat required.  There are so many in the service port range and so many for sure above 1024 that it seems like a draconian set of firewall rules won't work for you unless you do a lot off firewall rule typing.

CMB was probably too busy laughing at my previous suggestion to point that out, but I think if you try to lock down your visitor subnet from your LAN, thats easy.  If you plan to lock them down somewhat from the internet while still leaving a functioning internet, thats going to be hard with a lot of firewall rules.  Perhaps you should leave their internet open to the web and install a content filter instead, assuming its content you are interested in blocking.  Or set up a traffic shaping rule if its bandwidth you are interested in preserving?

Mysteerie

Can't believe I forgot about DNS port (53), lol. I opened that up and it worked as I wanted.

Though, yea, I will most likely won't restrict it like above; I just wanted to see if it was possible.

Going from a home router to pfsense is a world of difference; so thank you guys for answering all my questions, I am just learning still.

Last question for this thread:

Would vlan bring anything extra to my setup? (I am guessing no and it's only needed if it I wanted to split a physical managed switch).

kejianshi

Yep - I learned something also.