Sanity Check on Rules for NEWB
-
Good day Crew, 1st time setting up a real firewall.
Please check these rules and let me know if you see any red flags
I NEED some help on the WIFI Guest rules too please (see bottom)WAN
Block * RFC 1918 networks * * * * * Block private networks
Block * Reserved/not assigned by IANA * * * * * * Block bogon networks
*Note: protect my LAN from the outside worldLAN
Allow * * * LAN Address 443 80 * * Anti-Lockout Rule
Allow IPv4 * LAN net * * * * none Default allow LAN to any rule
Allow IPv6 * LAN net * * * * none Default allow LAN IPv6 to any rule
*Note: allow all LAN devices full access OUT to WAN and full access to other LAN devices.
*Note: Wirelss AP setup on switch downstream of LANWIFI (guest Network)
block IPv4 * * * LAN net * * none block guest wan from local lan
Allow IPv4 * WIFI net * * * * none Default allow LAN to any rule
***Note: I want to allow the guest wifi access to internet/wan, but NO access to LAN.- Something appears to not work in this setup as it does not allow internet connection
- Google is no help as it sends me to broken pfsense doc links.**
-
Post screenshots ita easier for people to help you.
Check your DNS…do a traceroute...check tour firewall logs
-
3 firewall tabs attached.
-
1. Describe your network in more detail.
2. Do a nslookup
3. Do a traceroute
Post results
-
Modem
PFSense
-(Firewall, Router, DHCP) (later IPS via SNORT)
-WAN
-LAN (192.168.1.1)
-WLAN (192.168.2.1)
Switch
-DD-WRT Wireless AP (https://forum.pfsense.org/index.php?topic=81014.msg442131#msg442131)- LAN->DD-WRT AP for a mixture of trusted Android, MAC, Linux, and Windows machines -> all use a central unRaid NAS via SMB shares for file storage and access.
- WLAN for guest Internet access (personal guests, untrusted household devices such a Sony bluray/netflix terminal -> none of which should have access to the NAS or the other machines on my LAN)
-
nslookup and traceroute…
from where and to where would you like these? -
Typically when a guest network can't surf it's because there are no NAT rules or they can't resolve DNS.
I would run the DNS Resolver on 2.2.2 and explicitly set it in the guest DHCP server and explicitly pass it as the first rule:
Alias wifi_dns_ip 192.168.2.1
Allow IPv4 TCP/UDP WIFI net * wifi_dns_ip 53 * none Pass DNS from guest wlan
block IPv4 * * * LAN net * * none block guest wlan to local lan
block IPv4 * * * This firewall (self) * * none block guest wlan to firewall IPs
Allow IPv4 * WIFI net * * * * none Default allow LAN to any rulePass specifically what you need (DHCP is automatically passed when the DHCP server is enabled on an interface)
Block more generally what you don't want them to get to
Pass everything else. -
perfect!
Thanks :)
