How to block LAN traffic from going into WAN network, allowing gateway



  • I have a good understand on this WAN/LAN set up – but I still do not understand Firewalls and VLANs.

    Here is what I have --  a cable modem going into a Tomato router. Router into a switch, then a long cable to the basement into a 24 port switch.

    From the Gigabit switch, I have it going to NIC#2 with vSphere.

    pfSense side --

    For WAN, I have a vSphere 'virtual' switch connecting to the physical NIC #2.
    For LAN, I have it going to another Virtual switch (separate from other) which hosts my VM.
    I need that VM completely isolated from my home LAN x.x.254.x  - 255.255.255.0 network.

    pfSense is using a WAN static IP address in the home LAN network.
    LAN is on the same subnet, but at a different network IP.

    It works -- everything is perfect.
    I can ping anyone, both networks, and in LAN.

    I do not want to be able to do that. I want the VM (in pfSense LAN) to have access to the WAN gateway ONLY, which is on the home LAN network. I want everything else -- such as VM to home LAN PCs -- blocked. From the 1.1 network to 254 network should be restricted, unless it is to the source of 254.x (gateway).

    I do not want him to be able to ping my laptop from the pfSense LAN to WAN.

    So, really, behind the pfSense LAN -- I want those devices to NOT be able to ping anything outside of it's WAN (which is my home LAN) except gateway (which is in my home LAN).

    So I know it would be a 'not' rule. So block everything -- but 'NOT' 'gateway.IP.address.here'.

    Is this correct?

    Funny thing is - I can never ping a machine from my home LAN to the pfSense LAN VM -- but from the pfSense LAN VM I can ping to my laptop which is on my home LAN.
    I have no rules set, and Windows firewall is off.

    That is exactly what I want to be able to do but opposite. I don't want to be able to ping my home LAN laptop from the pfSense LAN VM.


  • Netgate

    I trust you also want to be able to get to all internet IPs, too.

    On your pfSense LAN interface do this:

    Pass any source LAN net dest your_gateway_address any
    Reject any source LAN net dest your_home_net any
    Pass any source LAN Net dest any any


  • Netgate

    @rowebil:

    Funny thing is - I can never ping a machine from my home LAN to the pfSense LAN VM – but from the pfSense LAN VM I can ping to my laptop which is on my home LAN.
    I have no rules set, and Windows firewall is off.

    That is because your home network looks like the WAN to pfSense.  There are no pass rules in from WAN by default.



  • So what do you mean for dest your_Getway_Address any?

    I have pass through WAN - any protocol - source is LAN net – and now destination? Single host being my gateway address, OR 'any' destination. Also, is this a LAN rule or WAN? WAN right?

    Pass any source LAN Net dest any any
    Pass - protocol - source [LAN Net] - Destination [Any] - what is the second 'any'?

    I have
    pass - lan net source - destination gateway_IP_address
    reject lan net source - destination WAN net [or should it be something else?]
    pass - lan net source - destination any

    I tried it and it is still passing pfSense LAN VM to my home LAN laptop.
    I even tried to allow all WAN traffic and I can't ping pfSense LAN VM.
    Last time I installed, it worked - I could block my IP from it, and allow it. Now it doesn't seem like firewall rules are even working. I blocked everything, any any any any any on LAN and WAN and still pings and everything.

    Also, thanks for the reply. :)

    I guess the only way to figure this out is by doing what I've always done – just do it and learn what happens.


  • Netgate

    @rowebil:

    So what do you mean for dest your_Getway_Address any?

    The IP address of the gateway to get out of your Home LAN.

    I have pass through WAN - any protocol - source is LAN net – and now destination? Single host being my gateway address, OR 'any' destination. Also, is this a LAN rule or WAN? WAN right?

    pfSense inteface rules are for sessions started coming INTO the interface they are on.  So if you want rules regulating what your LAN clients can reach, you put them on LAN.  If you want rules regulating what WAN clients can reach, you put them on WAN.

    You want to prevent your pfSense LAN from reaching your home network.  But from pfSense's perspective, your home network is the WAN.  So what you really want to tell pfSense to do is allow access to the internet EXCEPT for one subnet.

    I have
    pass - lan net source - destination gateway_IP_address
    reject lan net source - destination WAN net [or should it be something else?]
    pass - lan net source - destination any

    I tried it and it is still passing pfSense LAN VM to my home LAN laptop.

    That's because you didn't do what I suggested you do.

    On Firewall->Rules->LAN

    Pass any source "LAN net" dest your_gateway_address any
    Reject any source "LAN net" dest your_home_net any
    Pass any source LAN Net dest any any

    You need to substitute the host address of the IP address on HOME net that pfSense should be able to talk to to get out to the internet.  You need to substitute your_home_net with the network you do NOT want your VMs to be able to access.

    I guess the only way to figure this out is by doing what I've always done – just do it and learn what happens.

    Not really.  As soon as you grasp a couple key concepts (like rules applying to connections coming INTO interfaces) it's actually pretty straightforward.



  • I did what you said lol.

    I understand my home LAN is pfSense WAN - I get that.

    I just asked what 'any' meant - and what you were using as a placeholder. After the destination, there is no 'any'. So I was wondering if the first any meant the protocol, or 'any source'.
    What you said compares to ordering at Starbucks. Quad Iced Venti 6 pump Vanilla Extra Hot Latte. Now I need to know the order – espresso, hot or cold, size, how many pumps of syrup, flavor of syrup, custom, type of drink.

    I'm sure I'd be able to understand the lingo, but there is too many 'anys' in pfSense in the order you mentioned.
    I understand what you said -- I want to allow gateway access, but disallow home LAN access. I tried it on my own, but it isn't working at all. So I thought I'd ask.

    On LAN tab, I have

    Pass source=LAN net - destination = gateway IP address
    reject source=lan net - destination =172.100.0.0 (home LAN network)
    pass - source=lan net - destination=any

    Now, should destination 'your_home_network be the IP address (network IP, no host IP) OR use 'WAN Net?'


  • Netgate

    In your case you can probably use WAN net as the block destination as long as you're sure that's the only subnet you want to block.



  • Now what do I do to allow my home LAN IP (my laptop static IP) access to pfSense Configuration AND access to a VM through RDP? I don't mind home LAN to pfSense LAN, but I want pfSense LAN to Home LAN blocked.

    I also blocked the HTTP port to my gateway :)
    Now I just need to figure out how to allow my home LAN TO the VM, but not VM TO home LAN.

    It comes through the WAN interface, so is it there? I just allow RDP in WAN? So coming into WAN, allowed. Into LAN - destination out denied.
    OR would it still be LAN related, but just source and destination switched?

    –---

    Hmm -- all this time, it worked.

    I stopped the ping and created the rules. I did what I wanted to block first, instead of the exception of allowing to the gateway.

    I have from LAN Net to WAN net 'block'.

    I tried to ping to my home LAN PC, and it failed... which is good. I then allowed it, and started a new ping which was successful.

    I now blocked it on the firewall, and it continued to ping... for the whole 100. "Sent 100, received 98." I tried again, and now request is timed out.

    I was pining up to 1,000,000 requests to see if my firewall rule stops the connection but it never did. That is why I told you the rules never worked.

    I found the answer to my own question. pfSense was only analyzing 'new' connections with SYN flags. So my continuous ping was 'ACK' which the firewall didn't anaylze. So when I stopped the ping and initiated the ping [connection], it saw the 'SYN' flag and blocked the connection.

    I feel confident about this and finally got it working.
    I am able to ping gateway, ping Internet address, and NOT be able to ping my laptop.

    Perfect!

    Thanks so much for the learning experience. :)
    I would not have known the order of the rules, and to allow 'any' which gets to an IP such as Google.
    So this thread isn't a waste like I thought.