Trouble with setting up pfSense to firewall two subnets internally

  • Hello,

    I am running pfSense 2.1.2 on a Soekris net6501 and I have two subnets that I need to restrict traffic between. The obvious answer was to use ACLs in the Cisco Catalyst 3560 but the onsite IT guy wants to be able to administer this with a nice web GUI and wants to be able to limit the amount of entries to manage (a perfect use for aliases in the firewall rules).

    We have two subnets in question:

    192.168.2.x/24 on the WAN side and 192.168.15.x/24 on the LAN side. The condition is that the 192.168.15.x subnet should be be able to access all of 192.168.2.x subnet (the default LAN subnet -> any rule handles this) but only certain addresses/ranges in the 192.168.2.x subnet should be able to access devices on the 192.168.15.x subnet.

    Previously a monowall was used to accomplish this goal. We simply connected the 192.168.2.x subnet to the WAN interface, assigned an IP address to the WAN interface as a static IP and then connected the 192.168.15.x subnet to the LAN interface. We then configured rules in the WAN interface to pass traffic along. We did not set any NAT rules.

    The reason for using pfSense instead is that monowall is not as robust and efficient with firewall rules. Plus, monowall's development is very infrequent.

    We set up the pfSense box the same as the monowall box and now we cannot pass traffic. Is there something else I am missing?

  • LAYER 8 Global Moderator

    "We did not set any NAT rules."

    Well by default out of the box pfsense will nat between lan and wan interfaces.  So if you want your wan network to talk to your lan network you would have to do nat.  Or your going to want to disable nat.

    So I take it pfsense is not the gateway of your "lan" networks.  Or normally these 192.168.2 and 192.168.15/24 would just be lan interfaces in pfsense which by default would not be natted.

  • Yeah, we disabled NAT. The Catalyst 3560 was not the most optimal way of controlling traffic due to having to write many ACLs. We use the pfSense's aliases to shorten the work and also the GUI made the work a lot more friendly for the onsite IT staff.

    Sorry for the delay getting back to you. It was an interesting problem going between the monowall and pfSense boxes. The monowall didn't care about NATing, it let us pass traffic just with firewall rules. On the monowall, there wasn't any 1 to many IP address translations so NAT technically wasn't needed, just rules to allow IPs from one range to reach the other. Basically, the LAN interface had free reign on the WAN interface. The WAN interface had to be allowed on a per IP/per port basis.

    I'm assuming the main difference is that monowall uses iptables and pfSense uses PF and that PF is more strict about traffic flow. Or at least pfSense has a stricter implementation of PF than monowall's implementation of iptables. I honestly don't know. I was just tripped up by that difference there. Disabling NAT fixed it.

    Thank you for your help, johnpoz.

  • LAYER 8 Global Moderator

    Where did you get the idea that m0n0wall uses iptables?  m0n0wall is based upon freebsd, there are 3 firewalls that freebsd could use pf, ipfilter or ipfw – I am not 100% sure but would assume m0n0 use pf just like pfsense..

    pfsense is a fork of m0n0wall..

    If your wanting to use a wan sort of interface internally to route/firewall traffic on your local network with pfsense or m0n0wall - then yeah you wouldn't want to nat normally.  I am fairly sure out of the box m0n0wall has nat enabled as well.  But its been a long time since I played with it.  Maybe it asks you during install??  I know pfsense out of the box setup and asks for wan interface and then you setup lan interface it would nat between those for you.  If you don't want to do that you would have to disable the nat after the setup.

    Glad you got it all sorted it seems like.

  • Netgate Administrator

    Pretty sure m0n0wall uses ipfilter. Moving to pf was one of the original reasons for the fork if I recall.


  • LAYER 8 Netgate

    Turn off NAT.  Firewall > NAT set manual outbound and disable all the rules.

    Make an alias for the IP addresses on 192.168.2.x that can access  I'll call it pass_hosts

    As you stated, pass rules on LAN should be covered by the default LAN to any rule.

    On WAN do something like this:

    pass ip any source pass_hosts dest LAN net
    reject ip any source WAN net dest LAN net

    If you want them to get to the internet add:
    pass ip any source WAN net dest any

Log in to reply