Firewall rules on a pfsense behind a pfsense



  • Hi folks,

    Have a question about a setup i'm trying to implement. I'll try to give all the pertinent info but there's a lot of it. We have a pfsense (we'll call it the main firewall) and it's got two WAN connections for failover and one LAN connection (192.168.0.5) for the whole organization. Then i've got a 2nd pfsense firewall (we'll call it the prison firewall) that has one WAN connection (192.168.3.150) that is on the LAN of the main firewall and one LAN connection (192.168.31.1) which has a group of users that I don't want to be able to access the entire LAN of the main firewall but yet be able to access the internet through the dual WANs of the main firewall. Just to add to the mix, i've got the Squid and SquidGuard packages running on the prison firewall to block porn and such. I don't think the main firewall factors into this issue but who knows. We have a separate DHCP server on the LAN of the main firewall that uses a 192.168.0.0/20 range so there's no DHCP server running on the main firewall. Same with DNS, there's two DNS servers on the LAN of the main firewall. As for the prison firewall, it's handing out DHCP in the 192.168.31.0/24 range to the LAN and it's using Google's DNS of 8.8.8.8 and 8.8.4.4.

    I've tried adding rules on the prison firewall that allow all traffic from Prison firewall LAN subnet (192.168.31.0/24) to the main firewall's LAN IP (192.168.0.5) so the "prisoners" can access the internet and adding another rule below the first to block all traffic from the Prison firewall subnet to the main firewall LAN subnet. I tried these rules on both the LAN interface (before the default rule) and the WAN interface of the prison firewall but it didn't seem to block anything (I have a steady ping running from a workstation on the prison firewall LAN to a server on the main firewall LAN and it ran uninterrupted through all my testing).

    I then changed the two rules to allow all traffic from the Prison firewall WAN address (192.168.3.150) to the main firewall LAN address (192.168.0.5) and the blocking all traffic from the Prison firewall WAN address to the Prison firewall WAN subnet (192.168.0.0/20). Again, no change in my pings.

    I've got logging on for all the rules and i've checked the logs and the traffic i'm looking for isn't being logged, or it's getting lost in the logs as there is a substantial amount of traffic.

    Interestingly enough, I added a firewall rule on the prison firewall to block any ICMP packets from any source to any destination on the LAN interface and the pings still keep going.

    Suggestions?

    Thanks,

    Mark



  • Ahhh, looks like it's a windows-like issue. A reboot of the prison firewall has smartened it up and it's working now. Sorry for the trouble folks!

    Mark


  • Banned

    Hint: There's Diagnostic - States - Reset states :)



  • @doktornotor:

    Hint: There's Diagnostic - States - Reset states :)

    Thanks for the tip doktornotor, that might just come in handy in the future haha.


Log in to reply