Firewall a connection within a single LAN?
-
I work for a government agency that shares a building with some other government agencies. We have a pfSense 2.2 box used as our Internet firewall with some light NAT (including a 1:1 IP for the time being). We also have several connections to the other agencies that are not currently firewalled (they come in directly via IP addresses in our primary vlan which is a /24 subnet).
I would very much like to firewall at least one of these connections without having to involve any more hardware. The problem is that I can't quite map out in my head how I would do this with something like an IP alias.
Could I move a DSL modem from our core switch to the DMZ switch that our firewall connects to and do some IP aliasing or virtual IP magic to filter this connection?
Limitation: I cannot change the IP of the DSL modem
Some fictitious IP addresses that might help to describe this:
Firewall:
Our WAN IP is 100.100.100.101/24
The LAN interface is 172.30.200.2/24Router:
172.30.200.1The DSL modem that currently connects directly to the router that I would like to place behind a firewall:
172.30.200.3I hope this makes sense! Thanks for any advice!
-
So these other agencies share this 172.30.200.0/24 network?
So they come in via another router that has its lan on your 172.30.200.0/24
This is what is confusing have router on 172.30.200.1, and then you say dsl modem on 172.30.200.3? So you have 2 other routers that have connections on your lan?
Can you draw this out please. But in general if you can put some more interfaces on pfsense via either physical or vlans you put them as wan connections and then you can firewall them from your lan segment.
-
So these other agencies share this 172.30.200.0/24 network?
Negative, they've got their own networks but they need to connect to ours for a few applications. They have their own networks, but connect to ours with devices with IPs on our network. It's our own network but they more or less have full access to it (for better or worse).
So they come in via another router that has its lan on your 172.30.200.0/24
Correct
This is what is confusing have router on 172.30.200.1, and then you say dsl modem on 172.30.200.3? So you have 2 other routers that have connections on your lan?
Correct, we have 3 other entities that connect directly to our LAN.
Can you draw this out please. But in general if you can put some more interfaces on pfsense via either physical or vlans you put them as wan connections and then you can firewall them from your lan segment.
I can draw this out. It'll take me a day or two tho. My biggest mental block at this point is how to firewall a device on a LAN back to the same LAN. I may not be thinking of this correctly.
-
What doesn't make sense is how do your devices talk back - is there gateway not your pfsense? They must be natting into your network, so if a device on their side talks to your network it looks like it came from 172.30.200.3 for example..
-
What doesn't make sense is how do your devices talk back - is there gateway not your pfsense? They must be natting into your network, so if a device on their side talks to your network it looks like it came from 172.30.200.3 for example..
Definitely not natting. The routers both here and on the other side of 200.3 are HP Procurve switches set with static routes.
-
If they are not natting into your network, you have setup routes on your pfsense to go talk to their entry point into your network, and are hairpinning back out to them.
What is there network on their side?
So you have something like the attached. Your clients talk to pfsense as their gateway.. What is the network on the other side.. How does pfsense or client know to talk to the 172.30.200.3 router/bridge/L3 switch? To get to that other network??
-
If they are not natting into your network, you have setup routes on your pfsense to go talk to their entry point into your network, and are hairpinning back out to them.
What is there network on their side?
So you have something like the attached. Your clients talk to pfsense as their gateway.. What is the network on the other side.. How does pfsense or client know to talk to the 172.30.200.3 router/bridge/L3 switch? To get to that other network??
At the moment there are static routes set on the core switch of our network. The same is true of the network of the agency on the other side of the DSL line. pfSense doesn't do any LAN routing (though it does have to have a few static routes set on it that point to the core switch).
-
Well you could do a couple things if you want to firewall off these other segments. You could put pfsense between your core switch and your lan, or move the connection from the core switch to pfsense.
I would move the connection - but clearly that would be more of a change. But at most would require either vlan or another physical nic. If you put pfsense between core switch and your segment you could put it in transparent mode, or setup transient network between core switch and your lan to use for routing. Or keep pfsense wan on that segment and change your lan segment. But that would most like require changes in routing on the other networks, etc.
-
Well you could do a couple things if you want to firewall off these other segments. You could put pfsense between your core switch and your lan, or move the connection from the core switch to pfsense.
I would move the connection - but clearly that would be more of a change. But at most would require either vlan or another physical nic. If you put pfsense between core switch and your segment you could put it in transparent mode, or setup transient network between core switch and your lan to use for routing. Or keep pfsense wan on that segment and change your lan segment. But that would most like require changes in routing on the other networks, etc.
I wouldn't want to put the core switch behind the firewall since it also handles a few internal vlans and such. I also lean towards moving the connection. Maybe this just isn't possible without more hardware (either another NIC or just using a different pfSense box), especially since I have no control over the modem or the routing of the other agency.
I do have an old PC with two NICs that was used as an iptables firewall in the past. Maybe I'll just set that up as a transparent firewall for this purpose