Isolate single IP



  • I have a system that just needs internet connectivity and I want to block it from the rest of the network. What is the best way to accomplish this? I currently have it on a static IP so couldn't I just set a couple rules to block communication? I'm just not sure more specifically what to set or how to order them. Thanks!



  • @ieatfish:

    I have a system that just needs internet connectivity and I want to block it from the rest of the network. What is the best way to accomplish this? I currently have it on a static IP so couldn't I just set a couple rules to block communication? I'm just not sure more specifically what to set or how to order them. Thanks!

    Communication in a single subnet won't go through your pfSense box so rules you add there will have no effect.

    In order to segregate a single host you'd need to have it on a separate interface (physical or vlan).



  • @Jason:

    @ieatfish:

    I have a system that just needs internet connectivity and I want to block it from the rest of the network. What is the best way to accomplish this? I currently have it on a static IP so couldn't I just set a couple rules to block communication? I'm just not sure more specifically what to set or how to order them. Thanks!

    Communication in a single subnet won't go through your pfSense box so rules you add there will have no effect.

    In order to segregate a single host you'd need to have it on a separate interface (physical or vlan).

    So I should just set it up on a separate VLAN by itself? I have a few VLANs but they are all wired through a managed switch. How would I put this one linux PC on wireless on its own VLAN?



  • Does your AP support VLAN tagging per SSID?  If so, setup a new SSID and assign it a tag.  If not, try having the linux box do the tagging, though this wouldn't be secure.



  • @Jason:

    Does your AP support VLAN tagging per SSID?  If so, setup a new SSID and assign it a tag.  If not, try having the linux box do the tagging, though this wouldn't be secure.

    No, it doesn't support VLAN tagging. However, I think I should be able to connect this to the switch via ethernet. So I'll just do that, put it on its separate VLAN, and make the rules blocking it from the others. Anything else I need to do?



  • @ieatfish:

    @Jason:

    Does your AP support VLAN tagging per SSID?  If so, setup a new SSID and assign it a tag.  If not, try having the linux box do the tagging, though this wouldn't be secure.

    No, it doesn't support VLAN tagging. However, I think I should be able to connect this to the switch via ethernet. So I'll just do that, put it on its separate VLAN, and make the rules blocking it from the others. Anything else I need to do?

    No, if you can get it on a separate VLAN then you'd be able to block it in pfSense.



  • Awesome, thanks for the help!



  • I've setup a third (physical OPT1 interface) adding a 3rd network card to my pfsense box.

    So:

    1st interface: WAN (Internet via PPPoE);
    2nd interface: LAN 192.168.1.0/24;
    3rd interface: WIFI_GUEST 192.168.10.10/24.

    Now I'd like to let the 3rd interface (WIFI_GUEST) access to the Internet and block all other traffic (to LAN and WebGUI).

    I had success isolating the LAN from the guest interface by setting up a rule in the WIFI_GUEST interface to allow all the traffic !not to LAN subnet / LAN interface.

    But I'd like to block the webGUI (webconfigurator) that is still accessible from the guest interface (192.168.10.0/24).


  • LAYER 8 Netgate

    pass source tcp/udp * * dest WIFI_GUEST Address DNS (53)
    reject source * * dest WIFI_GUEST Address *



  • "reject source * * dest WIFI_GUEST Address *"

    Is this rule for the guest interface? If yes, this is going to block guests (?)

    Here are my WIFI_GUEST firewall rules; I think I've overdone something  ;D



  • LAYER 8 Netgate

    @panz:

    "reject source * * dest WIFI_GUEST Address *"

    Is this rule for the guest interface? If yes, this is going to block guests (?)

    Here are my WIFI_GUEST firewall rules; I think I've overdone something  ;D

    First point:  Rules on an interface determine what traffic coming INTO the interface on which they are defined is passed/blocked/rejected/logged etc.

    Second Point: WIFI_GUEST Net includes WIFI_GUEST address.

    • Get rid of all the rules with a source of WIFI_GUEST Address.

    • Get rid of all the rules with a destination of LAN Address where a similar rule exists for LAN Net (LAN Address is included in LAN Net)

    • Change the references to 192.168.10.10 to WIFI_GUEST Address (if I'm reading the comments right)

    • You probably only want to log packets that match a block rule, not pass rules.

    • You probably need a rule passing DNS traffic (dest TCP/UDP 53) to wherever the DNS Server is (Probably WIFI_GUEST Address)  This pass rule should be placed before the rule that blocks or rejects traffic from WIFI_GUEST Net to that destination.

    Do all that and post another screen shot.



  • and read this post, going on at the same time: http://forum.pfsense.org/index.php/topic,70890.msg387362.html#msg387362
    Replace VLAN10 with your interface name WIFI_GUEST and, as I read it, you are both trying to achieve the same thing.



  • Yes, sorry, I didn't want to cross-post: I was trying to achieve the AP isolation using a VLAN, but I found that adding a 3rd NIC to pfSense is less error prone than setting all the VLAN stuff in pfSense AND the for the router L2 managed.

    I'm going to setup all the rules according to the suggestions and I'm wondering if the rule that blocks port 443 is still necessary after setting the first DNS allow rule.



  • These are my now "polished" rules, but I'm viewing attempts to access my LAN in the firewall logs.

    I'm the only one testing this network now, and I'm pretty sure I'm not attempting to enter my internal LAN. Something I've omitted?

    ![polished rules.jpg](/public/imported_attachments/1/polished rules.jpg)
    ![polished rules.jpg_thumb](/public/imported_attachments/1/polished rules.jpg_thumb)
    ![firewall log.jpg](/public/imported_attachments/1/firewall log.jpg)
    ![firewall log.jpg_thumb](/public/imported_attachments/1/firewall log.jpg_thumb)


  • LAYER 8 Netgate

    Is it working?  Looks fine to me.  The only think I would say is Rules 3 and 4 are redundant.  Rule 4 will never be processed because rule 3 will match first and block.

    If something wasn't trying to open a connection to a host on LAN Net, those log entries would not be there.



  • and rule 2 (block to port 443) could be wider - change destination port 443 to destination port * (any). Because actually if you enable other management services on pfSense (like SSH on port 22…) then you also want those blocked from WIFI_GUEST. It is easy to put a general block in place, then you won't need to remember to add more blocking if things change.



  • Yes, it's working fine. I'm going to do some in depth tests now and report if there are problems. Many many thanks to all!  ;)


Log in to reply