Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Trouble with setting up pfSense to firewall two subnets internally

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 4 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      danderemer
      last edited by

      Hello,

      I am running pfSense 2.1.2 on a Soekris net6501 and I have two subnets that I need to restrict traffic between. The obvious answer was to use ACLs in the Cisco Catalyst 3560 but the onsite IT guy wants to be able to administer this with a nice web GUI and wants to be able to limit the amount of entries to manage (a perfect use for aliases in the firewall rules).

      We have two subnets in question:

      192.168.2.x/24 on the WAN side and 192.168.15.x/24 on the LAN side. The condition is that the 192.168.15.x subnet should be be able to access all of 192.168.2.x subnet (the default LAN subnet -> any rule handles this) but only certain addresses/ranges in the 192.168.2.x subnet should be able to access devices on the 192.168.15.x subnet.

      Previously a monowall was used to accomplish this goal. We simply connected the 192.168.2.x subnet to the WAN interface, assigned an IP address to the WAN interface as a static IP and then connected the 192.168.15.x subnet to the LAN interface. We then configured rules in the WAN interface to pass traffic along. We did not set any NAT rules.

      The reason for using pfSense instead is that monowall is not as robust and efficient with firewall rules. Plus, monowall's development is very infrequent.

      We set up the pfSense box the same as the monowall box and now we cannot pass traffic. Is there something else I am missing?

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        "We did not set any NAT rules."

        Well by default out of the box pfsense will nat between lan and wan interfaces.  So if you want your wan network to talk to your lan network you would have to do nat.  Or your going to want to disable nat.

        So I take it pfsense is not the gateway of your "lan" networks.  Or normally these 192.168.2 and 192.168.15/24 would just be lan interfaces in pfsense which by default would not be natted.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • D
          danderemer
          last edited by

          Yeah, we disabled NAT. The Catalyst 3560 was not the most optimal way of controlling traffic due to having to write many ACLs. We use the pfSense's aliases to shorten the work and also the GUI made the work a lot more friendly for the onsite IT staff.

          Sorry for the delay getting back to you. It was an interesting problem going between the monowall and pfSense boxes. The monowall didn't care about NATing, it let us pass traffic just with firewall rules. On the monowall, there wasn't any 1 to many IP address translations so NAT technically wasn't needed, just rules to allow IPs from one range to reach the other. Basically, the LAN interface had free reign on the WAN interface. The WAN interface had to be allowed on a per IP/per port basis.

          I'm assuming the main difference is that monowall uses iptables and pfSense uses PF and that PF is more strict about traffic flow. Or at least pfSense has a stricter implementation of PF than monowall's implementation of iptables. I honestly don't know. I was just tripped up by that difference there. Disabling NAT fixed it.

          Thank you for your help, johnpoz.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Where did you get the idea that m0n0wall uses iptables?  m0n0wall is based upon freebsd, there are 3 firewalls that freebsd could use pf, ipfilter or ipfw – I am not 100% sure but would assume m0n0 use pf just like pfsense..

            pfsense is a fork of m0n0wall..

            If your wanting to use a wan sort of interface internally to route/firewall traffic on your local network with pfsense or m0n0wall - then yeah you wouldn't want to nat normally.  I am fairly sure out of the box m0n0wall has nat enabled as well.  But its been a long time since I played with it.  Maybe it asks you during install??  I know pfsense out of the box setup and asks for wan interface and then you setup lan interface it would nat between those for you.  If you don't want to do that you would have to disable the nat after the setup.

            Glad you got it all sorted it seems like.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Pretty sure m0n0wall uses ipfilter. Moving to pf was one of the original reasons for the fork if I recall.

              Steve

              http://m0n0.ch/wall/facts.php

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Turn off NAT.  Firewall > NAT set manual outbound and disable all the rules.

                Make an alias for the IP addresses on 192.168.2.x that can access 192.168.15.0/24.  I'll call it pass_hosts

                As you stated, pass rules on LAN should be covered by the default LAN to any rule.

                On WAN do something like this:

                pass ip any source pass_hosts dest LAN net
                reject ip any source WAN net dest LAN net

                If you want them to get to the internet add:
                pass ip any source WAN net dest any

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.