Traffic through OPT1 OPT2 OPT3



  • Hi,

    fresh-born-user here.

    I've installed PF on an HP thin-client and added some VLANS on an ADD-ON card.

    On these i attached some OPT-numbers, OPT1 for guest objects another (OPT2) for neighbors and one Servers (OPT3).

    Whenever i first block . to . on OPT2 that works, adding an allow to the gateway (on OPT2) for DNS it also works.
    But now i want for example to block ping on OPT2 to my OPT3 and allow it to Internet. How to make such a rule?

    I can only make it work if i allow destination *… I've seen this in text-based FW's as destination ETH0=allow.
    I think the same applies for HTTP traffic, i don't want my neighbors to surf my internal servers.

    Thanks,
    Martijn



  • actually i just found a way:

    just start with a rule to block the ping to the denied segment and then a rule to allow it to all.

    Is this the way? It means if i add a new segment that i have to add block-rules on all the previous segments.

    Thanks again,

    Martijn


  • LAYER 8 Netgate

    Yes.  Or maintain an alias of local networks and block to that.  2.2 is going to maintain this alias automatically.

    Something like this on OPT1 will protect LAN and pfSense admin (webGUI, ssh) from users on OPT1:

    Pass ICMP from OPT1 net to OPT1 address
    Pass TCP/UDP DNS from OPT1 net to OPT1 address
    Block/Reject any from OPT1 net to OPT1 address
    Block/Reject any from OPT1 net to LAN net
    Block/Reject any from OPT1 net to WAN address
    Pass any from OPT1 net to any



  • Terrific!

    Totally clear. Especially with the aliasses.

    I made a few DMZ's DMZ11 DMZ12 DMZ13 etc and for every segment an Alias. NOT11 NOT12 NOT13 to rule out the other segment(s)!

    Much thanks Derelict!


  • LAYER 8 Netgate

    You can do it with one alias.  Say you have this:

    LAN net 192.168.1.1/24
    OPT1 net 192.168.2.1/24
    OPT2 net 192.168.3.1/24

    Then an alias Local Nets:

    192.168.1.0/24
    192.168.2.0/24
    192.168.3.0/24

    The rule set example I gave was:

    Pass ICMP from OPT1 net to OPT1 address
    Pass TCP/UDP DNS from OPT1 net to OPT1 address
    Block/Reject any from OPT1 net to OPT1 address
    Block/Reject any from OPT1 net to LAN net
    Block/Reject any from OPT1 net to WAN address
    Pass any from OPT1 net to any

    If that was instead:

    Pass ICMP from OPT1 net to OPT1 address
    Pass TCP/UDP DNS from OPT1 net to OPT1 address
    Block/Reject any from OPT1 net to Local Nets
    Block/Reject any from OPT1 net to WAN address
    Pass any from OPT1 net to any

    It would work just the same.  You could apply this rule to all LAN interfaces (With the source adjusted to that interface, of course):

    Block/Reject any from OPT1 net to Local Nets

    As long as you have pass rules for everything local (like ping, DNS, etc) then it doesn't matter if the block rule contains the network of the interface it's on, because there is no proper reason to be processing traffic coming in an interface for that interface's subnet.  And when you add a subnet you only have to change one alias no matter how many subnets/interfaces you have.


Log in to reply