Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Sanity Check on Rules for NEWB

    Firewalling
    3
    8
    817
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chris.kemper last edited by

      Good day Crew, 1st time setting up a real firewall.

      Please check these rules and let me know if you see any red flags
      I NEED some help on the WIFI Guest rules too please (see bottom)

      WAN
      Block * RFC 1918 networks * * * * *   Block private networks
      Block * Reserved/not assigned by IANA * * * * * * Block bogon networks
      *Note: protect my LAN from the outside world

      LAN
      Allow * * * LAN Address 443 80 * *   Anti-Lockout Rule
      Allow IPv4 * LAN net * * * * none   Default allow LAN to any rule
      Allow IPv6 * LAN net * * * * none   Default allow LAN IPv6 to any rule
      *Note:  allow all LAN devices full access OUT to WAN and full access to other LAN devices.
      *Note: Wirelss AP setup on switch downstream of LAN

      WIFI (guest Network)
      block  IPv4 * * * LAN net * * none   block guest wan from local lan 
      Allow  IPv4 * WIFI net * * * * none   Default allow LAN to any rule
      ***Note: I want to allow the guest wifi access to internet/wan, but NO access to LAN.

      • Something appears to not work in this setup as it does not allow internet connection
      • Google is no help as it sends me to broken pfsense doc links.**
      1 Reply Last reply Reply Quote 0
      • E
        EMWEE last edited by

        Post screenshots ita easier for people to help you.

        Check your DNS…do a traceroute...check tour firewall logs

        1 Reply Last reply Reply Quote 0
        • C
          chris.kemper last edited by

          3 firewall tabs attached.






          1 Reply Last reply Reply Quote 0
          • E
            EMWEE last edited by

            1. Describe your network in more detail.

            2. Do a nslookup

            3. Do a traceroute

            Post results

            1 Reply Last reply Reply Quote 0
            • C
              chris.kemper last edited by

              Modem
              PFSense
              -(Firewall, Router, DHCP) (later IPS via SNORT)
              -WAN
              -LAN (192.168.1.1)
              -WLAN (192.168.2.1)
              Switch
              -DD-WRT Wireless AP (https://forum.pfsense.org/index.php?topic=81014.msg442131#msg442131)

              • LAN->DD-WRT AP for a mixture of trusted Android, MAC, Linux, and Windows machines -> all use a central unRaid NAS via SMB shares for file storage and access.
              • WLAN for guest Internet access (personal guests, untrusted household devices such a Sony bluray/netflix terminal -> none of which should have access to the NAS or the other machines on my LAN)
              1 Reply Last reply Reply Quote 0
              • C
                chris.kemper last edited by

                nslookup and traceroute…
                from where and to where would you like these?

                1 Reply Last reply Reply Quote 0
                • Derelict
                  Derelict LAYER 8 Netgate last edited by

                  Typically when a guest network can't surf it's because there are no NAT rules or they can't resolve DNS.

                  I would run the DNS Resolver on 2.2.2 and explicitly set it in the guest DHCP server and explicitly pass it as the first rule:

                  Alias wifi_dns_ip 192.168.2.1

                  Allow IPv4  TCP/UDP  WIFI net  *  wifi_dns_ip  53  *  none  Pass DNS from guest wlan
                  block  IPv4 *    *    *    LAN net    *    *    none        block guest wlan to local lan
                  block  IPv4 *    *    *    This firewall (self)    *    *    none        block guest wlan to firewall IPs
                  Allow  IPv4 *    WIFI net    *    *    *    *    none        Default allow LAN to any rule

                  Pass specifically what you need (DHCP is automatically passed when the DHCP server is enabled on an interface)
                  Block more generally what you don't want them to get to
                  Pass everything else.

                  1 Reply Last reply Reply Quote 0
                  • C
                    chris.kemper last edited by

                    perfect!

                    Thanks :)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post

                    Products

                    • Platform Overview
                    • TNSR
                    • pfSense Plus
                    • Appliances

                    Services

                    • Training
                    • Professional Services

                    Support

                    • Subscription Plans
                    • Contact Support
                    • Product Lifecycle
                    • Documentation

                    News

                    • Media Coverage
                    • Press
                    • Events

                    Resources

                    • Blog
                    • FAQ
                    • Find a Partner
                    • Resource Library
                    • Security Information

                    Company

                    • About Us
                    • Careers
                    • Partners
                    • Contact Us
                    • Legal
                    Our Mission

                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                    Subscribe to our Newsletter

                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                    © 2021 Rubicon Communications, LLC | Privacy Policy