Block access from device behind pfsense to device in front of pfsense



  • Hi,

    i have the following setup:

    Internet --> Fritzbox --> PfSense --> PC2
                          --> PC1
    
    

    PfSense is used to create a guestnet with captiva portal. I have the standard firewall rules on LAN and OPT1 (W-Lan) and created one additional rule on WAN (allow everything from WAN to any Net behind PfSense) to be able to access PfSense from PC1 (and any other PC which is connected directly to the fritzbox). The fritzbox is providing DNS server and DHCP service. The WAN interface on PfSense is running in DHCP mode (recieves IP, DNS, Gateway). The networks behind PfSense (LAN and OPT_1) are also providing DHCP services.

    My Problem is, that PC2 is able to open the Webinterface of Fritzbox.

    My toughts on a solution:
    Block all traffic from PfSense on WAN Interface which goes to 192.168.178.1/8 network. But with this scenario i would also avoid PfSense to get IP, DNS, Gateway from the fritzbox, as it is not allowed to connect to any device within 192.x.x.x

    Can you help me? How has a firewall rule to be defined to avoid Clients behind PfSense to access fritzbox? The clients shall be able to access pfSense.

    Thx and KR
    Itchy2



  • @itchy:

    Internet --> Fritzbox --> PfSense --> PC2
                          --> PC1
    
    

    Block all traffic from PfSense on WAN Interface which goes to 192.168.178.1/8 network. But with this scenario i would also avoid PfSense to get IP, DNS, Gateway from the fritzbox, as it is not allowed to connect to any device within 192.x.x.x

    Can you help me? How has a firewall rule to be defined to avoid Clients behind PfSense to access fritzbox? The clients shall be able to access pfSense.

    There is obviously some misunderstanding, either from my side or in the way you perceive pfSense usage:
    e.g. if you set-up FW rule applying on pfSense "internal" interface preventing devices from this interface to access your "external" segment, I don't see any reason why it would prevent pfSense to get lease from Fritzbox DHCP server  ???


  • LAYER 8 Global Moderator

    "created one additional rule on WAN (allow everything from WAN to any Net behind PfSense) to be able to access PfSense from PC1 (and any other PC which is connected directly to the fritzbox)"

    Huh???  Please just post up your wan and lan rules.. So your not doing nat?  What rule did you create on the wan.. Out of the box pfsense does NAT, so you would have to forward ports into your lan.. Can not just create firewall rule unless your not natting?  If your not natting then you created routes on fritzbox to your downstream networks lan and opt1?

    But as mentioned already any rule you put on the lan to prevent lan clients from accessing anything specific would have nothing to do with pfsense talking out its wan for dhcp, dns, etc..



  • Hi,

    i'm in the location with the pfSense at the end of the week. I will bring screenshots and share them with you.

    @Johnpoz:
    I have not disabled NAT, so it is still enabled.

    @Chris:
    PC2 stands as a "name" for a net of computers. PC1 also reflects more computers. I want "PC2" to be able to access the internet, but not PC1 or Fritzbox etc.

    I think i just have to adjust the default "allow anything on LAN" rule to only allow the 192.168.5.1/24 Subnet (which is the Net of LAN device).



  • @itchy:

    @Chris:
    PC2 stands as a "name" for a net of computers. PC1 also reflects more computers. I want "PC2" to be able to access the internet, but not PC1 or Fritzbox etc.

    This is as easy as configuring FW rule on pfSense (LAN side) to only accept requests from LAN to internet. This will prevent access to Fritzbox and PC1 from PC2.
    How to achieve it? Quite easily: create new rule, on LAN interface (nothing to be changes on WAN interface) stating to drop or reject requests from LAN to 192.168.178.0/8  (BTW, strange netmask here  :o)

    Your mistake with LAN versus WAN in term of firewall rule shows that you may need to review how FW works and where rules apply  ;)  (assuming I understand correctly what you intend to achieve)


Log in to reply