Blocking traffic from interface X to interface Y
-
Hi all,
I'm new to pfSense and am migrating from a simple iptables based system. In my setup I have 5 VLANs + 1 WAN, and restricted communication between VLANs, save 1. I did this with iptables commands such as the following to give internet access to all VLANs:
iptables -A FORWARD -i VLAN1 -o WAN -j ACCEPT
iptables -A FORWARD -i VLAN2 -o WAN -j ACCEPT
iptables -A FORWARD -i VLAN3 -o WAN -j ACCEPT
iptables -A FORWARD -i VLAN4 -o WAN -j ACCEPT
iptables -A FORWARD -i VLAN5 -o WAN -j ACCEPTwith one for access to all vlans from the special vlan (little redundent with the first iptables command I know, shown here for clarity)
iptables -A FORWARD -i VLAN1 -j ACCEPTThen default forwards to dropped.
I don't see how I can do this equivalent in pfSense. The best I can see to do is to deny traffic from VLAN2 to VLAN1 and 3-5's subnets, and allow all other traffic. I don't like default allow firewall rules, even though this should give me the same answer.
Is there a better way to do this?
-
I thought (V)LANs were separated/firewalled by default, so you would need to add explicit Pass Rules to each VLAN interface for all inter-(V)LAN communication. Maybe?
Disclaimer: I have no experience with VLANs or iptables gibberish.
-
So you want your vlans to talk to the internet but not each other.
Simple way would be create a alias, lets call it locals. In this alias you put all your vlan segments. Then on your interfaces for each vlan put your allow rule to ! (not) locals as your dest. Now going to anything the internet works since it is NOT one of your local networks.
If traffic is dest one of your local networks then that rule would not fire and the default block rule would be used.
So for example here is rules on my dmz segment. So I let dmz ping pfsense interface, I let it use pfsense for dns. I then block it from talking to any ip on pfsense for anything else. I then allow it to go where ever as long as its ! one of the local segments or my vpn segments.
This is pretty close to what your asking.. Just put the same kind of rules on your different vlan interfaces. DMZ is in the alias just for ease of being able to use that alias else where, on my guest wireless network, etc.. We all know that that rule doesn't stop clients on the dmz from talking to other clients on the dmz. But pfsense should never see traffic for dmz from dmz, etc.
-
Thanks for the quick replys.
Johnpoz, you are right, I'm trying to restrict inter-VLAN traffic while permitting WAN traffic, save for 1 VLAN which should be allowed to talk to all.
I was heading in essence the same direction that you were with the deny to local subnets, permit everything else, but I dislike the permit all approach. Generally speaking I like to see firewall rules that are deny all, permit specifics. In iptables I would deny all as the final "rule" and allow if it is going out the WAN interface. So far I can only see how to Deny going to local subnets, and allow all else…
-
There is no "default allow" anywhere.
In iptables I would deny all as the final "rule"
Not needed. It's already there.
-
True, the default behavior of pfSense is deny after all rules are fired. But to accomplish the allow VLAN to WAN, deny VLAN to VLAN I would have to be permissive to all, deny to VLAN subnets (as I cannot say allow if output interface is WAN that I can see)
my rules would look like:
Interface Destination Permit/Deny
VLAN2 VLAN1 net Deny
VLAN2 VLAN3 net Deny
VLAN2 VLAN4 net Deny
VLAN2 VLAN5 net Deny
VLAN2 * AllowThis would allow traffic to arbitrary subnets through the WAN, but deny it to local subnets on other vlans. It should work, but again, I'm now in essence default allow, which I fundamentally don't like on firewalls (not that it's a particular issue I think).
-
Again there is no default allow - where do you think there is any sort of allow.. Why don't you remove all the rules off your interface and see where you get ;)
But since the internet is a such a HUGE amount of space.. how do you say allow to that but not your vlan.. You say it with a NOT rule.. ie you can go anywhere you want other than these networks. You can get restrictive if you want and only allow 80 and 443, 53, etc. Or as open as you want but there is no "default" allow..
-
Man, you guys are great! I really appreciate the feedback, I'm very new to pfSense and am still trying to translate how I'd do things with IPtables.
To keep things clear, this is how I interpreted johnpoz's suggestion (twisted just a bit):
Interface Destination Permit/Deny
VLAN2 VLAN1 net Deny
VLAN2 VLAN3 net Deny
VLAN2 VLAN4 net Deny
VLAN2 VLAN5 net Deny
VLAN2 * AllowIt's the last rule in the list that says "If it's incoming on interface VLAN2, allow" (which is in essence, allow all). I can add more denys above it saying if it's not ports X,Y,Z deny, but by setting the rules up like above, I'm listing things I DON'T want to go through, rather than things I DO want to go through. I can make it work either way, and it's just for traffic originating in the local VLANs, which are much more trustworthy than the WAN side.
With the aliasing it would look like this:
Interface Destination Permit/Deny
VLAN2 Not VLANs AllowWhich is again to allow ports X,Y,Z I'd have to add everything else to a list of denys (ie deny if port not X,Y,Z), so it's a list of things I DON'T want to go through rather than a list of things I DO want to go through.
Subtle difference, probably not worth arguing.
-
no your rule would be more like NOT vlans ports 80,443,53 allow - everything else would be denied because there is no allow.
If you allow any any that is on you, this is not a limitation of pfsense. That is just how you might write the rule.
This can be done all in 1 rule.
source any
dest ! alias (contains all vlans you dont want to go to)
if you want to only allow 80 and 443 and 53 then you put that in the rule as well
All other traffic would be denied by the default deny because you don't have an allow to allow it.The only time you need to put in a specific deny is when there would be an exception to your rule. Say for example there was a specific IP in your sources that don't want to be able to go to the internet. Since your source of any would include him you could put a rule above that says
source: somespecificIP or alias to include what you want to block
dest any
blockRules are evaluated top down - first rule to trigger wins. So you have an allow that has large number of things that would be inclusive like any as source and you don't want something to use that rule then you would deny it specifically before that rule.. Which would be the first rule to trigger, so the traffic would never see the next rule that would of allowed it.