Make PfSense Firewalla as a normal router firewall?
-
Hey PfSense Community.
I have PfSense up and running with many vlans. But i got a firewall question. Right now my rules looks like this.
ID Proto Source Port Destination Port Gateway Queue Schedule Description
delete add
icon IPv4 TCP/UDP VLAN5 net * * 53 (DNS) * none
move selected rules before this rule edit
delete add
icon IPv4 TCP/UDP VLAN5 net * * 21 (FTP) * none
move selected rules before this rule edit
delete add
icon IPv4 TCP/UDP VLAN5 net * * 80 (HTTP) * none
move selected rules before this rule edit
delete add
icon IPv4 TCP/UDP VLAN5 net * * 443 (HTTPS) * none
move selected rules before this rule edit
delete add
icon IPv4 TCP/UDP VLAN5 net * * 143 (IMAP) * none
move selected rules before this rule edit
delete add
icon IPv4 TCP/UDP VLAN5 net * * 993 (IMAP/S) * none
move selected rules before this rule edit
delete add
icon IPv4 TCP/UDP VLAN5 net * * 22 (SSH) * none
move selected rules before this rule edit
delete add
icon IPv4 TCP/UDP VLAN5 net * * 110 (POP3) * none
move selected rules before this rule edit
delete add
icon IPv4 TCP/UDP VLAN5 net * * 995 (POP3/S) * none
move selected rules before this rule edit
delete add
icon IPv4 TCP/UDP VLAN5 net * * 25 (SMTP) * none
move selected rules before this rule edit
delete add
icon IPv4 TCP/UDP VLAN5 net * * 465 (SMTP/S) * noneBut im lookin for a solution like a normal router where port 80 is blocked out -> inside and opens up when Inside -> outside and can return data when this connection is made. So it actualy work as a normal router.
-
A normal router doesn't block anything- it routes it.
PfSense works like a normal firewall in default configuration. The WAN tab on the firewall controls traffic out>in, and blocks everything unless you allow it. The LAN tab controlls in>out traffic, and by default allows machines on the LAN subnet to initiate traffic to external sites, and allows the return of established traffic.
If you have setup your rules in a non-standard way, then sure, it isn't going to act like a 'normal' firewall. -
Block port 80 where the destination is your public IP?
-
A normal router doesn't block anything- it routes it.
PfSense works like a normal firewall in default configuration. The WAN tab on the firewall controls traffic out>in, and blocks everything unless you allow it. The LAN tab controlls in>out traffic, and by default allows machines on the LAN subnet to initiate traffic to external sites, and allows the return of established traffic.
If you have setup your rules in a non-standard way, then sure, it isn't going to act like a 'normal' firewall.If i have no rules set in the LAN trafic nothing works. I havent made any non-standard rules.
-
dude are you trying to block your clients from going out to internet or other vlans with 80?? You have clearly allowed it
IPv4 TCP/UDP VLAN5 net * * 80 (HTTP) * none
What is your WAN rules.. As already stated out of the box pfsense blocks ALL inbound unsolicited to its WAN.. If it is being allowed - then you must of allowed it plain and simple.
Please post up your wan and lan rules and how exactly you are wired.. You show vlans - are you running pfsense with only 1 physical nic? etc..
-
You don't actually have standard rules. The default rules are nothing on the WAN tab- incoming traffic, and a rule on the LAN tab to let the LAN subnet out on any port. (outbound traffic from LAN) If you are setting up a bunch of LAN like vlan interfaces, you would add rules duplicating the default LAN rule on your vlan interfaces.
-
Okay i think i understand now.
My main problem is if i open
IPv4 TCP/UDP VLAN5 net * * 80 (HTTP) * none
on every vlan. VLAN10 is then abel to reach VLAN5 on this port. But i want to close each VLAN down so they cant access eachother but still have access to the internet?
-
Then do something like this
See my ! locals, this says NOT these networks. And my alias lists my local networks (yours would be your vlans). So this rules says hey you can go anywhere you want, as long as its not the other networks segments.
-
Ok Mr john pox…
This would work on a standard lan exp.. 192.168.100.1/24 single lan.
Keeping lan users basically from seeing other local users at the current time they are on line? -
Dude you can not keep lan users from talking to each other, pfsense is not even in the mix when lan users are talking to each other. But you can keep different lan segments from talking to each other.. Ie your wireless from talking to your wired, or your dmz from talking to either your wired or wlan, etc.
Who do you not want talking to each other?
-
Ok… We want users to have inbound outbound to web only as a "Hot Spot" application.
-
Yeah what does that have to do with users talking to each other? You want client isolation ie all users on 192.168.x.0/24 from talking to each other - that are wired??
So example pfsense is 192.168.1.1, and client A is 192.168.1.2 with gateway of 192.168.1.1 (pfsense) and dns of pfsense 192.168.1.1 as well… And you have client B that is 192.168.1.3 with all the same settings. And you don't want 192.168.1.2 talking to 192.168.1.3 ??
And they are wired to some switch - or are they connected via wireless.. Is pfsense the wireless AP, or some other AP providing wireless that is connected to your 192.168.1.0/24 network?
edit: Dude I just noticed your not the OP -- Create your own thread, your question has nothing to do with the OP multi segmented network.
-
Gee!!!! Sorry to Offend You!,!!!
But the original thread is what started this thought an topic!!My Censorious Apologies to have Offended You!!
-
you didn't offend me.. Its just your request is not related to the OP topic in the slightest. From what I can make out.
-
But im lookin for a solution like a normal router where port 80 is blocked out -> inside and opens up when Inside -> outside and can return data when this connection is made. So it actualy work as a normal router.
This what I was basing my inquires on!
-
From the original post…...
We have been using pfsense for about -+3 years.
We have a small no of installs..
I have not been an active member of the forum.
Our past admin person for pfs has moved on.
I am tired of being 100% dependent of others that are of little integrity !
That is one reason I have taken to forum to try to learn an catchup.
Been a while since I started IBM 029... first..So. Please understand I did ask in relations to what I had read.
That is the reason for this forum to read, possibly gleam, an respond, or even dream an imagine a possibility. -
"Keeping lan users basically from seeing other local users at the current time they are on line?
And how is one suppose to ascertain that from your above statement?
Out of the box pfsense blocks ALL inbound traffic, ie the OP comment and only allows inbound traffic that is in answer to what the client requested that is on the inside of pfsense.
If you want to block outbound traffic, to specific ports then block them..
The default rules allow all traffic outbound from the default lan.. If you want to only allow specific ports, then create allows for the ports you want, then create a block rule. But again how does that have anything to do with your first statement?
The OP asked this
"on every vlan. VLAN10 is then abel to reach VLAN5 on this port. But i want to close each VLAN down so they cant access eachother but still have access to the internet?"And I showed him how to accomplish that.. Are you asking a question or trying to provide a solution to the OP? Because its not clear.. And its not possible to block users on the same segment that is connected to pfsense from talking to each other.. Since pfsense is a gateway off that segment, it is not between every device on the network.. Devices only talk to pfsense when they need to get off the segment, not when talking to other devices on the same segment.. Which the OP never even asked that question - he clearly has multiple segments. From his vlan 5 and vlan 10 comment.
