Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Firewall rules for branch sites

    Firewalling
    2
    3
    714
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      boomam last edited by

      Evening all,
      Could do with some advice on the who's and the whys, and whats best practice.

      Topology & Firewall Description:

      3 Pfs, one of them "central". Other two Pfs have the same configs and OpenVPN back to the central Pf.

      Whats needed:

      • Routing between subnets at all three sites.
      • Internet access for clients at the two branch sites.
      • Seperate Guest LAN/Internet access at branch sites.

      Firewall config:
      Central
      LAN: Allow - Local Subnet to all
      OpenVPN: Allow - All to All

      Branch
      LAN: Deny - Local Subnet to Guest LAN
      LAN: Allow - Local Subnet to all
      OpenVPN: Allow - All to All
      Guest LAN: Deny - Guest LAN to LAN
      Guest LAN: Deny - Guest LAN to Remote Subnet
      Guest LAN: Allow - Guest LAN to all

      All denys are at the top of the rules orders.
      OpenVPN is setup and functioning between all affected sites.
      WAN connections on each Pf are set to allow incoming/outgoing (where applicable) of OpenVPN ports only.

      Now, the above config works. Traffic routes between, there doesn't appear to be any bridging going on between networks and the internet works fine.
      However to me that seems like bad practice with all the "allow to alls"

      The internet at the branch sites wont function if i dont set "LAN/Subnet to all"
      Neither will OpenVPN route without that rule and the "all to all" on all the OpenVPN interfaces at all Pf's

      Thoughts?
      Is there a better or more secure way to achieve this?

      Thanks in advance all!

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis last edited by

        I make an alias for all the private subnets that I have around my various offices - call it OfficeNets. For example, the organisation uses 10.20.0.0/16 split up around the offices - 10.20.0.0/20 (16 "class-C" to be split among various LANs at a central office), 10.20.16.0/24 at branch 1, 10.20.17.0/24 at branch 2 and so on. Some sort of reasonable scheme of allocating private address space.
        OpenVPN gets a rule to pass source OfficeNets, destination OfficeNets - that way if some other setting accidentally tries to route GuestLAN or real internet traffic across an OpenVPN link it will get dropped.
        You can use the alias on GuestLAN also - to deny from GuestLAN to InternalNets in 1 rule.

        On ordinary LANs for users that need to be able to do general internet browsing, you end up needing a pass destination all rule after blocking particular stuff. The pass rule could only pass specific ports (http, https…) but in many cases that just annoys ordinary people who have perfectly legit reasons to connect out to other ports on internet servers - connect a VPN to some other office site, get mail from their own mail provider on POP3/IMAP/SMTP ports, ssh to something, and so on. I have been a visitor at schools where they have locked down lots of outgoing ports including to POP3/IMAP/SMTP port numbers and I can't do send/receive of my email - how frustrating.

        Rather than trying to tie down the clients on the local LAN with restrictive firewall rules, IMHO mostly what is needed is some filtering at higher level to block out based on content (inappropriate web sites) - DNS-based name server filtering by categories, squid/squidguard/dansguardian or whatever.

        I'm sure others will have their opinions on firewall rules and content filtering combinations...

        1 Reply Last reply Reply Quote 0
        • B
          boomam last edited by

          Afternoon,
          I managed to work it out about an hour after posting. :p

          OpenVPN connection has single rule from "remote subnet to LAN subnet".
          LAN subnet has a "from LAN subnet to remote subnet"rule.
          LAN & Guest Subnets have rules that deny access to/from each other.
          Guest subnet has a rule that denys to remote subnet too.
          Guest & LAN have a rule that is "subnet to any".

          Seems to work….no crossing of traffic i can see on packet captures, net access works, ect;

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy