Multiple LAN Firewalling



  • I realize this is an inherently stupid set of questions, but I can't beat my head against a wall any longer..

    I'm trying to segregate off lans, only allowing certain communication between them (they're in different vLANs). I understand that the firewall is a default deny, that's as it should be. But I have a few questions that I can't seem to get straight results for (likely due to my lack of understanding of how the WebUI)

    Each LAN should have the equivalent of iptables -A INPUT -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT
    This will allow me to block incoming on each lan, and default allow all outbound to the internet (each lan should have access)

    How do I go about this? Here are the rules I've been playing with so far.
    ![Screen Shot 2014-07-04 at 11.59.12 AM.png](/public/imported_attachments/1/Screen Shot 2014-07-04 at 11.59.12 AM.png)
    ![Screen Shot 2014-07-04 at 11.59.12 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-07-04 at 11.59.12 AM.png_thumb)
    ![Screen Shot 2014-07-04 at 11.59.24 AM.png](/public/imported_attachments/1/Screen Shot 2014-07-04 at 11.59.24 AM.png)
    ![Screen Shot 2014-07-04 at 11.59.24 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-07-04 at 11.59.24 AM.png_thumb)



  • I don't know if this helps any, but the really basic concept that I didn't get when I was first configuring pfSense is that rules are for each port. IOW, IN to LAN means into the LAN port itself, as in the data flowing into the LAN port - I'm not trying to belittle you, I'm just trying to put it in ways that would have helped me understand when I was thinking of everything backwards.

    I never got good enough with iptables to know what that statement accomplishes, but the rules I set up for firewalling LAN1 from LAN2 are block any IPV4 to LAN1 net and block any IPV6 to any LAN1 net. Any exceptions (like SMTP APCPUSD, SSH, etc), just insert the exception rule above the deny rule (rules are processed top to bottom).



  • No worries, I appreciate your clarification. I know/knew all of that, but I think needed to hear it one more time to have it make sense.

    The unsolved issue I still have however is that iptables rule. It basically allows all outbound connections to the internet, which for some reason, the interfaces do not allow by default (specifically, it's a connection tracking rule - it allows all outbound connections and lets packets back in if they're related to, or part of an already established stream). How do I make this happen in pfSense - is driving me crazy :C


  • Rebel Alliance

    By default LAN allows that, with the (default) "Allow LAN to ANY " Rule… IN "OPT" Type interfaces you must create that rule, since all outbound traffic is Blocked by default.



  • @ptt:

    By default LAN allows that, with the (default) "Allow LAN to ANY " Rule… IN "OPT" Type interfaces you must create that rule, since all outbound traffic is Blocked by default.

    Yea, that's making sense now. Overthinking fail. Now I'm puzzled as to why this rule is not working… From a box on my LAN, I can successfully ping a host on my SIP network, which from the screenshot, I believe I should not be able to do. What am I missing her...

    ![Screenshot from 2014-07-06 11:38:31.png](/public/imported_attachments/1/Screenshot from 2014-07-06 11:38:31.png)
    ![Screenshot from 2014-07-06 11:38:31.png_thumb](/public/imported_attachments/1/Screenshot from 2014-07-06 11:38:31.png_thumb)


  • Rebel Alliance

    If you want to Block traffic from the "LAN Net" to the "SIP Net"  you must create the "Block Rule" in the LAN interface Tab ;)

    The "Block all from LAN" Rule is useless in "SIP" it Must be in "LAN"

    "Normal" (not Floating) FW Rules are applied "on ingress" and are "evaluated/processed" from Top to Bottom, and "First Match wins"



  • @ptt:

    If you want to Block traffic from the "LAN Net" to the "SIP Net"  you must create the "Block Rule" in the LAN interface Tab ;)

    The "Block all from LAN" Rule is useless in "SIP" it Must be in "LAN"

    FW Rules are applied "on ingress"

    Wat. I understand the first part, but wouldn't that be egress? If I have to block LAN->SIP traffic on my LAN interface, that's traffic that's leaving the LAN interface. Which seems very, very backwards.

    Just to clarify, this means that I cannot block on incoming traffic, only outgoing, correct?


  • Rebel Alliance

    You "Block or Pass" traffic that "ingress" to the interface with a "certain" destination



  • @ptt:

    You "Block or Pass" traffic that "ingress" to the interface with a "certain" destination

    Yes, I understand that. What I'm asking though is that if I want to drop traffic coming from my LAN network and going into my SIP network, why then am I blocking that traffic on my LAN interface? That would be egress filtring, not ingress. Ingress filtering would be applied by SIP network/interface (in this example).  :o

    I don't mean to come across as argumentative, but this is not making any sense to me what so ever (I'm a linux guy, not BSD, for what it's worth) :S  When I spin up firewall rules, they're blocked on the incoming interface, not outgoing.


  • Rebel Alliance

    To block traffic from a LAN host to a SIP host, you create the Rule on LAN, and that rule "Block" traffic that "ingress" from the LAN host to the LAN interface, and have the SIP host/network as destination



  • If I have to block LAN->SIP traffic on my LAN interface, that's traffic that's leaving the LAN interface

    Actually, that's traffic entering the LAN interface. ;)


  • Rebel Alliance


  • Rebel Alliance Global Moderator

    Why does this concept confuse so many users??  Place yourself in the firewall..  Look at your interfaces connected to you – if someone on lan wants to go to sip.  What is the first interface they hit?  Where do you want to stop the traffic?  That is the interface you place the rule

    Before you process the packet and then say oh wait that shouldn't go out the sip interface..  Or before it enters the firewall?

    Think of it this way - the interface connected to the source of the traffic is where you place the rule.  If you don't want lan going somewhere you put it on the lan interface, if you don't want boxes on the sip going somewhere then you place the rules on the sip interface.  If you want or don't want stuff from the internet to talk to your pfsense wan or stuff behind pfsense where would you put the rule?



  • Yea, it makes sense now, though it's somewhat of a pain IMO. I wound up having a chat with some friends earlier about this .. not sure why this was such a hassle for me to make sense of initially.

    It would be nice to see a way to add rules across multiple interfaces. The perk to doing it the other way is minimizing the rules you have to write. For example, if you've got five or six vlans that all need to be segregated, it's a hassle to have to (for each one), firewall off the others.


  • Rebel Alliance Global Moderator

    "It would be nice to see a way to add rules across multiple interfaces."

    Its called the floating tab.



  • So, for what it's worth, the issue that I wound up having was entirely mental. Firewalling isn't an inherently difficult concept, but the way that pfSense presents it is what threw me for a loop.

    Firewall Rules (not WAN or Floating)
    If you're a Linux person like me, you've likely used to iptables.

    Generally, you use the input chain for rudimentary firewalling because your boxes reside near an edge or are directly connected (at least, that's my use case). That being the case, it only makes sense to use input more heavily than output. So from that perspective, trying to firewall in pfsense makes next to zero sense/is confusing (I'm not talking about the floating tab or NAT rules).

    Given that the majority of my firewalling has been via iptables, the better way for me think about firewalling on pfsense is to think about it like I'm using the output chain. Your source will likely always be that an address on that network, with a destination being what ever.

    NAT Rules
    They work the same way as your input chain does

    Floating Rules
    Haven't had enough time to really play with them yet

    Hopefully this offers some clarity to someone.