Rules for allowing OPT interface to connect to LAN/WAN?

altiris

What firewall rules do I have to add to allow OPT1/2/3 (other interfaces) to allow to go through LAN and out through WAN? Basically I just want it to be able to talk outside. How would I go about configuring the interface for this purpose? Thanks!

-Extra Information-
So I am running pfsense 2.2 RC and I have a two NICS, 4 ports each. I have a WAN interface with a static external IP and a LAN interface with a static internal IP lets say
192.168.1.1 (with dhcp enabled). Now I want to hookup a router (dhcp is disabled on this device) to another interface and ONE computer/server to another interface (I understand I am not supposed to be hooking up single computers to interfaces or so I have been told but is it alright to just hook up one to one interface for this time? The reason is because the server has a different subnet than the router and also than the LAN interface and I do not want to reconfigure the IP address on the server or on the interface subnet side because I would have to change the IPs on the computers connected on LAN).

johnpoz

"I have a two NICS, 4 ports each"

Nice – allows for lots of stuff with that sort of setup ;)

as to how many device you put on a segment that is up to you, be it 1 or 1000..  There is nothing wrong with connecting only 1 device to an interface if that is all you have on that segment..

So lets for sake of discussion lets say you have put these networks on your opt interfaces.

opt1 192.168.10.0/24 with pfsense having 192.168.10.1
opt2 192.168.20.0/24 with pfsense having 192.168.20.1
opt3 192.168.30.0/24 with pfsense having 192.168.20.1

So you want opt1,2 and 3 to be able to talk to anything?? be it lan, or opt2 to opt3 or opt3 to opt1?

If so than any any rule would allow all traffic.  If you want to get specific for example opt2 can only go to the internet, while opt1 can go to lan and internet then you need to create some specific rules, the use of aliases can be of help.

Keep in mind that rules are from top down, and you prob want to allow that segment to talk to the pfsense IP on that segment for say dns?

Its much easier to see without aliases - but you can cut down on number of rules with aliases.  But lets go over my example rules.  So opt1 can to to lan and internet, but we don't want it going to opt2 or opt3  I would prob create these rules on the opt1 tab

source opt1 dest opt2 net any any block
source opt1 dest opt3 net any any block
source opt1 dest any any allow

now opt 2 we only want going to internet so

source opt2 dest lan net any any block
source opt2 dest opt1 net any any block
source opt2 dest opt3 net any any block
source opt2 dest any any allow

As you read the rules from top to bottom first rule to trigger will win, so once a rule is triggered the rest of the rules are not looked at.  If none of the rules trigger then there is default deny.

If you can give some specific of traffic you want to allow between segments, I can post up some screenshots of the rules in play in pfsense, etc..

Whitey436

John,

Sorry if this is a hijack but with your examples being on point to a similar situation..

In my instance, I have a single WAN interface and several subnets each on their own interface.

I was wanting to give one of the interfaces/subnets access to only the WAN so it could access the Internet but it seems that if I do a source OPT3  dest *  *  * Allow then those users can access the Internet but they should also be allowed to get on my subnet.

I was trying to create a single rule that would accomplish my task so I tried a
source OPT3  dest WAN1 Net *  * Allow,  this does not allow them to get there.

Why is it that when I call out the entire WAN network interface and do Allow for all ports it doesnt like it?  I see how you accomplished it in three rules but shouldnt I be able to do it in one based on my requirements?

Thanks,
Whitey

johnpoz

Well the wan net is not the internet for 1..  It is the Wan net, just like you lan net is only that network 192.168.1.0/24 as common example

Wan net is just that - the wan net!  So for example I am on comcast so I get a 24.13.xx.xx address where my wan net is 24.13.x.x/21  Look on your status interface page and you will see the mask your wan is on - this is the network you would be allowing traffic to if you put in dest wan net

If want to only allow segment access to the internet in 1 rule, then create an alias with your other segments in there and use the ! not as dest..  This allows access to anything this is NOT in the alias.

Whitey436

Perhaps some clarification of the names I assigned may help.

I assigned the name WAN1 to the interface connection that goes to my ISP.  Is not the reference of WAN1 net vs WAN1 address, the entire subnet assigned to that interface vs the specific IP assigned to that interface?

If I want traffic to flow from any other interface on the firewall to the path that leads to the Internet from my location, doesn't it have to go either to WAN1 Net or WAN1 Address?

KOM

Is not the reference of WAN1 net vs WAN1 address, the entire subnet assigned to that interface vs the specific IP assigned to that interface?

Yes.

If I want traffic to flow from any other interface on the firewall to the path that leads to the Internet from my location, doesn't it have to go either to WAN1 Net or WAN1 Address?

Yes, but it does so automatically.  Any traffic that is not local will be routed out your WAN to your gateway.

awair

Not my solution, (can't find original thread) but looked very elegant…

source <my_restricted_clients> dest ! <my_private_zone>any allow</my_private_zone></my_restricted_clients>

Add appropriate Aliases for clients/groups & subnets as required, then 'Invert' the Firewall destination - permits access to 'all except…'