Traffic through OPT1 OPT2 OPT3

godfather007

Hi,

fresh-born-user here.

I've installed PF on an HP thin-client and added some VLANS on an ADD-ON card.

On these i attached some OPT-numbers, OPT1 for guest objects another (OPT2) for neighbors and one Servers (OPT3).

Whenever i first block . to . on OPT2 that works, adding an allow to the gateway (on OPT2) for DNS it also works.
But now i want for example to block ping on OPT2 to my OPT3 and allow it to Internet. How to make such a rule?

I can only make it work if i allow destination *… I've seen this in text-based FW's as destination ETH0=allow.
I think the same applies for HTTP traffic, i don't want my neighbors to surf my internal servers.

Thanks,
Martijn

godfather007

actually i just found a way:

just start with a rule to block the ping to the denied segment and then a rule to allow it to all.

Is this the way? It means if i add a new segment that i have to add block-rules on all the previous segments.

Thanks again,

Martijn

Derelict

Yes.  Or maintain an alias of local networks and block to that.  2.2 is going to maintain this alias automatically.

Something like this on OPT1 will protect LAN and pfSense admin (webGUI, ssh) from users on OPT1:

Pass ICMP from OPT1 net to OPT1 address
Pass TCP/UDP DNS from OPT1 net to OPT1 address
Block/Reject any from OPT1 net to OPT1 address
Block/Reject any from OPT1 net to LAN net
Block/Reject any from OPT1 net to WAN address
Pass any from OPT1 net to any

godfather007

Terrific!

Totally clear. Especially with the aliasses.

I made a few DMZ's DMZ11 DMZ12 DMZ13 etc and for every segment an Alias. NOT11 NOT12 NOT13 to rule out the other segment(s)!

Much thanks Derelict!

Derelict

You can do it with one alias.  Say you have this:

LAN net 192.168.1.1/24
OPT1 net 192.168.2.1/24
OPT2 net 192.168.3.1/24

Then an alias Local Nets:

192.168.1.0/24
192.168.2.0/24
192.168.3.0/24

The rule set example I gave was:

Pass ICMP from OPT1 net to OPT1 address
Pass TCP/UDP DNS from OPT1 net to OPT1 address
Block/Reject any from OPT1 net to OPT1 address
Block/Reject any from OPT1 net to LAN net
Block/Reject any from OPT1 net to WAN address
Pass any from OPT1 net to any

If that was instead:

Pass ICMP from OPT1 net to OPT1 address
Pass TCP/UDP DNS from OPT1 net to OPT1 address
Block/Reject any from OPT1 net to Local Nets
Block/Reject any from OPT1 net to WAN address
Pass any from OPT1 net to any

It would work just the same.  You could apply this rule to all LAN interfaces (With the source adjusted to that interface, of course):

Block/Reject any from OPT1 net to Local Nets

As long as you have pass rules for everything local (like ping, DNS, etc) then it doesn't matter if the block rule contains the network of the interface it's on, because there is no proper reason to be processing traffic coming in an interface for that interface's subnet.  And when you add a subnet you only have to change one alias no matter how many subnets/interfaces you have.