• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

How to prevent access to management interface from WLAN and DMZ?

Scheduled Pinned Locked Moved Firewalling
20 Posts 4 Posters 5.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • K
    KOM
    last edited by Oct 31, 2014, 5:27 PM

    Block rule on WLAN and DMZ is probably the easiest.  Just block them talking to LAN Address.

    1 Reply Last reply Reply Quote 0
    • I
      Ip Man
      last edited by Oct 31, 2014, 5:49 PM

      @KOM:

      Block rule on WLAN and DMZ is probably the easiest.  Just block them talking to LAN Address.

      It doesn't seem to work. On the DMZ interface I created a block rule (Source DMZ, Destination LAN Address). I'm still able to ping 192.168.3.1 from DMZ.

      1 Reply Last reply Reply Quote 0
      • D
        Derelict LAYER 8 Netgate
        last edited by Oct 31, 2014, 6:19 PM

        That's because you didn't block access to DMZ Address - you blocked access to LAN address

        Here's what I might do:

        LAN 192.168.1.1/24
        WLAN 192.168.2.1/24
        DMZ 192.168.3.1/24

        Create a port alias called admin_ports.  Include tcp/80, tcp/443, tcp/22, and whatever you use.
        Create a network alias containing all your interface addresses, say:

        admin_addresses
        192.168.1.1/32
        192.168.2.1/32
        192.168.3.1/32

        Interface DMZ
        block source DMZ net dest admin_addresses ports admin_ports

        Don't forget your WAN address(es)
        block source DMZ net dest WAN address ports admin_ports

        Then pass whatever traffic you want.  For a DMZ you probably also want to block traffic to LAN and WLAN so it's look something like this:

        Interface DMZ

        block source DMZ net dest admin_addresses ports admin_ports
        block source DMZ net dest WAN address ports admin_ports
        block source DMZ net dest LAN net port any
        block source DMZ net dest WLAN net port any
        pass any any any

        Note that LAN address is included in LAN net so some of these rules are somewhat redundant.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • I
          Ip Man
          last edited by Oct 31, 2014, 7:00 PM

          @Derelict:

          That's because you didn't block access to DMZ Address - you blocked access to LAN address

          Here's what I might do:

          LAN 192.168.1.1/24
          WLAN 192.168.2.1/24
          DMZ 192.168.3.1/24

          Create a port alias called admin_ports.  Include tcp/80, tcp/443, tcp/22, and whatever you use.
          Create a network alias containing all your interface addresses, say:

          admin_addresses
          192.168.1.1/32
          192.168.2.1/32
          192.168.3.1/32

          Interface DMZ
          block source DMZ net dest admin_addresses ports admin_ports

          Don't forget your WAN address(es)
          block source DMZ net dest WAN address ports admin_ports

          Then pass whatever traffic you want.  For a DMZ you probably also want to block traffic to LAN and WLAN so it's look something like this:

          Interface DMZ

          block source DMZ net dest admin_addresses ports admin_ports
          block source DMZ net dest WAN address ports admin_ports
          block source DMZ net dest LAN net port any
          block source DMZ net dest WLAN net port any
          pass any any any

          Note that LAN address is included in LAN net so some of these rules are somewhat redundant.

          Looks like a good solution to the problem. I have created the aliases but when I try "Interface DMZ
          block source DMZ net dest admin_addresses ports admin_ports" I find no option to specify the ports. I use "Single host or alias" but I can find no place to fill in the alias for the ports.

          1 Reply Last reply Reply Quote 0
          • D
            Derelict LAYER 8 Netgate
            last edited by Oct 31, 2014, 7:12 PM

            Change the port to other and put an alias in the box.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • I
              Ip Man
              last edited by Oct 31, 2014, 7:19 PM

              @Derelict:

              Change the port to other and put an alias in the box.

              I'm sorry. I can't find that box. In the "destination" field I have;

              any
              Single host or alias
              PPTP clients
              PPPoE clients
              L2TP clients
              WAN net
              WAN address
              LAN net
              LAN address
              DMZ net
              DMZ address

              Strange….

              1 Reply Last reply Reply Quote 0
              • D
                Derelict LAYER 8 Netgate
                last edited by Oct 31, 2014, 7:21 PM

                No. In the port.  Select other and you can type an alias in the box to the right.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • I
                  Ip Man
                  last edited by Oct 31, 2014, 7:29 PM

                  @Derelict:

                  No. In the port.  Select other and you can type an alias in the box to the right.

                  Under the "Destination" field there is a "Log" field. I search like crazy for a "Port" field but I'm unable to find it. Something is wrong. I'm doing this on the DMZ interface. Hmm…

                  1 Reply Last reply Reply Quote 0
                  • D
                    Derelict LAYER 8 Netgate
                    last edited by Oct 31, 2014, 7:36 PM

                    Sorry.  You have to set the protocol to TCP.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • I
                      Ip Man
                      last edited by Oct 31, 2014, 7:37 PM

                      @Derelict:

                      No. In the port.  Select other and you can type an alias in the box to the right.

                      Wait! "Destination port range" appeared when I selected TCP under Protocol. Is TCP correct?

                      1 Reply Last reply Reply Quote 0
                      • I
                        Ip Man
                        last edited by Oct 31, 2014, 7:39 PM

                        @Derelict:

                        Sorry.  You have to set the protocol to TCP.

                        Ok, I found out by myself  :)

                        1 Reply Last reply Reply Quote 0
                        • I
                          Ip Man
                          last edited by Oct 31, 2014, 7:52 PM

                          It looks like it is working. I did the same on the WLAN interface. I can ping 192.168.2.1 from WLAN but I can't access the management interface. Is this enough to prevent access? Can other ports than I specified in "admin ports" (80, 443, 22) be used to access the management interface?

                          1 Reply Last reply Reply Quote 0
                          • D
                            Derelict LAYER 8 Netgate
                            last edited by Oct 31, 2014, 9:14 PM

                            No.  It listens on tcp/443 unless you change it.

                            It also redirects from http://:80 to https://:443 unless you disable it.

                            SSH listens on 22 if you enable it and don't change the port.

                            If you're concerned about more than the management interface, then forget about blocking to the admin_ports and, instead, pass what you want (like ICMP and DNS) and block everything else.

                            Like:

                            pass TCP/UDP source DMZ net dest admin_addresses port 53 #Allow DNS
                            pass ICMP source DMZ net dest admin_addresses  # Allow pings to DMZ address
                            pass ICMP source DMZ net dest WAN Address # Allow pings to WAN address
                            block any source DMZ net dest admin_addresses any #Block everything else to DMZ address
                            block any source DMZ net dest WAN address any # Block everything else to WAN address
                            pass any any any any #Pass everything else.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • I
                              Ip Man
                              last edited by Oct 31, 2014, 9:33 PM

                              @Derelict:

                              No.  It listens on tcp/443 unless you change it.

                              It also redirects from http://:80 to https://:443 unless you disable it.

                              SSH listens on 22 if you enable it and don't change the port.

                              If you're concerned about more than the management interface, then forget about blocking to the admin_ports and, instead, pass what you want (like ICMP and DNS) and block everything else.

                              Like:

                              pass TCP/UDP source DMZ net dest admin_addresses port 53 #Allow DNS
                              pass ICMP source DMZ net dest admin_addresses  # Allow pings to DMZ address
                              pass ICMP source DMZ net dest WAN Address # Allow pings to WAN address
                              block any source DMZ net dest admin_addresses any #Block everything else to DMZ address
                              block any source DMZ net dest WAN address any # Block everything else to WAN address
                              pass any any any any #Pass everything else.

                              Thanks for helping me! I use the block rules you mentioned before to isolate WLAN and DMZ the only weakness I'm aware off was the exposed management interfaces. What about IPv6? Do I have to make separate block rules for that as well?

                              1 Reply Last reply Reply Quote 0
                              • D
                                Derelict LAYER 8 Netgate
                                last edited by Oct 31, 2014, 9:48 PM

                                Yes.  Here are the caveats for creating single rules for both IPv4+IPv6

                                You can not assign a gateway to a rule that applies to IPv4 and IPv6
                                    You can not assign a protocol other then ICMP, TCP, UDP or TCP/UDP to a rule that applies to IPv4 and IPv6

                                That protocol caveat means no "any".

                                Looks like you might be able to change some of them to cover both stacks.

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • I
                                  Ip Man
                                  last edited by Nov 1, 2014, 5:35 AM

                                  @Derelict:

                                  Don't forget your WAN address(es)
                                  block source DMZ net dest WAN address ports admin_ports

                                  For some reason I did not consider access to management interface from DMZ -> WAN at all. Is that even possible?

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    Derelict LAYER 8 Netgate
                                    last edited by Nov 1, 2014, 6:45 AM

                                    Yes.  It's easily overlooked.

                                    Chattanooga, Tennessee, USA
                                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                    1 Reply Last reply Reply Quote 0
                                    • J
                                      jimp Rebel Alliance Developer Netgate
                                      last edited by Nov 5, 2014, 5:25 PM

                                      @Ip:

                                      @Derelict:

                                      Don't forget your WAN address(es)
                                      block source DMZ net dest WAN address ports admin_ports

                                      For some reason I did not consider access to management interface from DMZ -> WAN at all. Is that even possible?

                                      @Derelict:

                                      Yes.  It's easily overlooked.

                                      On 2.2 this is easier as you can have a rule that has "(self)" as a target which is an internal pf Macro that means "any IP address on the firewall"

                                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                      Need help fast? Netgate Global Support!

                                      Do not Chat/PM for help!

                                      1 Reply Last reply Reply Quote 0
                                      • I
                                        Ip Man
                                        last edited by Nov 5, 2014, 9:19 PM

                                        @jimp:

                                        @Ip:

                                        @Derelict:

                                        Don't forget your WAN address(es)
                                        block source DMZ net dest WAN address ports admin_ports

                                        For some reason I did not consider access to management interface from DMZ -> WAN at all. Is that even possible?

                                        @Derelict:

                                        Yes.  It's easily overlooked.

                                        On 2.2 this is easier as you can have a rule that has "(self)" as a target which is an internal pf Macro that means "any IP address on the firewall"

                                        Good to know. I'm looking forward to 2.2 and the new book :)

                                        1 Reply Last reply Reply Quote 0
                                        11 out of 20
                                        • First post
                                          11/20
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                          This community forum collects and processes your personal information.
                                          consent.not_received