Question about isolated LAN type networks



  • So I've been using pfSense for a while also other Firewall products.

    I'm just wondering if there is a better way to satisfy the following scenario:

    I have 3 LAN segments that I want. Each should be isolated from each other but have full access to WAN in general.

    As you can only set one destination (which could be alias i suppose) or not destination. What I've found is that In order to deny access outbound from one LAN segment to another I have to create these NOT rules.

    Source: LAN1 –> Destination: Allow Any (NOT LAN2)
    Source: LAN1 --> Destination: Allow Any (NOT LAN3)

    and likewise for all the LAN2 and LAN3 segments.. I suppose I could create one special alias of "NOT LAN1" networks but that seems needlessly complex.

    This obviously will get way out of hand once LAN4 and 5 and also even worse if I was looking at blocking outbound by default and having several rules to only allow specific protocols. (as each would need the NOT rules specified)

    There must be an easier way of doing this? One way would be having a special destination known as "Any External" and "Any Internal" so rules can specifically be created for external (or internal) access only (any except ranges defined on firewall for internal). Another way could be having destination Interface or using the idea of Zones that many firewalls use.

    Anyway am I just doing this wrong? is there an easier way when dealing with multiple isolated LAN networks?


  • Netgate

    I have created an alias called rfc_1918 containing the following:

    10.0.0.0/8
    172.16.0.0/12
    192.168.0.0/16

    In my firewall rules I can then permit anything not rfc_1918 on an isolated guest network, etc.

    This works as long as all local networks are rfc1918 but will break down when IPv6 lets us throw NAT onto the ash heap where it belongs.

    I believe I read that 2.2 adds some automatic aliases that cover all local networks but I haven't looked at it.

    It gets a little cumbersome and requires special attention when adding new networks, but reject dest LAN net, reject dest OPT1 net, reject dest OPT2 net works.

    If you're really doing it like this:

    Source: LAN1 –> Destination: Allow Any (NOT LAN2)
    Source: LAN1 --> Destination: Allow Any (NOT LAN3)

    you need to reexamine your rules.  Traffic in LAN1 dest LAN3 would be permitted by the first rule.



  • Thanks.

    I cant remember why I didnt do this last time but yes having block rules for the networks you want and then you can use simple  any to any rules etc.

    Sometimes all you need is a prompt to look at it differently. thanks.