Correct Rule To Allow LANs -> WAN, but block LAN -> LAN
-
I want to avoid explicit deny rules. If I add a new interface in the future, such a rule will allow traffic to it unless I remember to deny it as well. Since pfSense blocks by default, I just want a rule that allows only LAN1/2 to WAN. I set a gateway WAN specifically because I have multi-WAN.
-
There is no explicit deny rule. You allow LAN1 to everything but LAN2 subnet and the other way round. Setting GW for LAN is outright broken. Other than that, not really willing to work with perpetually moving targets, such as your edited first post stating that pfSense is not really a WAN router any more, or that your have a multiWAN out of the blue now, sorry. Without network diagram there's nothing to work with in the first place after you've totally redesigned your setup.
-
There is no explicit deny rule. You allow LAN1 to everything but LAN2 subnet and the other way round. Setting GW for LAN is outright broken. Other than that, not really willing to work with perpetually moving targets, such as your edited first post stating that pfSense is not really a WAN router any more, or that your have a multiWAN out of the blue now, sorry. Without network diagram there's nothing to work with in the first place after you've totally redesigned your setup.
Please… It was edited 3 hours before you even replied.
I don't wan't to keep adding !LAN1 and !LAN2 etc. to each Internet access rule as I may add more LANs later.
Setting a gateway is broken? How do you suppose people route LAN1 through WAN1 and LAN2 through WAN2?
WAN is not even my default gateway on pfSense so it has to be set explicitly to route LANs to the Internet. -
So make use of aliases instead. (And no, they will NOT grow automagically either with new interfaces added.)
Other than that, as said, without a networking diagram there's no point in debating your unknown setup.
-
Explicit denies like !LANx or !Alias are not acceptable and are a security hole waiting to happen. There's a reason firewalls block unmatched rules by default.
The minimal information provided in the first post is sufficient to answer the question, which you are unable to do. LAN1 & LAN2 -> WAN without LAN1 <-> LAN2 is the only requirement. Nothing else is relevant. No beginner's rules like !LAN1 and !LAN2.
-
OK, bye, Mr. Expert… enough time wasted here.
-
The rule you are looking for is: allow from lan1-subnet destination ! Lan2-subnet. And another one like it from lan2–> lan1
-
@lsf:
The rule you are looking for is: allow from lan1-subnet destination ! Lan2-subnet. And another one like it from lan2–> lan1
Yes, but if another interface is ever plugged in, then traffic from LANs will automatically be allowed to it until I explicitly block it! Isn't that dangerous?
-
@KurianOfBorg:
Explicit denies like !LANx or !Alias are not acceptable and are a security hole waiting to happen. There's a reason firewalls block unmatched rules by default.
The minimal information provided in the first post is sufficient to answer the question, which you are unable to do. LAN1 & LAN2 -> WAN without LAN1 <-> LAN2 is the only requirement. Nothing else is relevant. No beginner's rules like !LAN1 and !LAN2.
The trick is to not use explicit denies, but to use explicit allows.
Since there is a default block rule after all your own rules, traffic not explicitly allowed will always be blocked.
Create an alias containing all the local subnets. An RFC1918 alias containing all the private subnets is usually a pretty safe approach.
See the attached screenshot how such a rule would look like.
With this you explicitly allow everything not private.Btw: i wouldn't call the approach of using inverse aliases "not acceptable and a security hole waiting to happen"….
It all comes down to how you design your rules.
-
Create an alias containing all the local subnets. An RFC1918 alias containing all the private subnets is usually a pretty safe approach.
Thanks, this is great. !RFC1918 is definitely safer than !LAN1 or !LAN2 because there's no risk if an additional interface is added later since its subnet will already be covered.