Restrict Firewall Rules



  • How do you restrict firewall rules to different network. i.e if you have lan net to Any or should it be lan net to wan net. I'm confused on the different type's ie wan/lan/phone/wifi net  vs wan/lan/phone/wifi address or This Firewall(Self).

    Thanks



  • It might be best if you explain what you're trying to do exactly. Also a description or diagram of your network setup wouldn't go amiss.



  • What I'm try to setup is a way to protect different zone from accessing each other, basically intrazone traffic. I have created three different zone LAN, WIFI,VOIP. What zone net or zone address, when to uses the net or address zone? What This firewall Self where should it be used?

    LAN ZONE
    i.e zone LANnet  to WAN Address Allow

    WIFI ZONE
    i.e zone WIFInet to LAN Net Deny
    i.e zone WIFInet to VOIP Net Deny
    i.e zone WIFInet to WAN Address Allow

    VOIP ZONE
    i.e zone VOIPnet to LAN Net Deny
    i.e zone VOIPnet to WIFI Net Deny
    i.e zone VOIPnet to WAN Address Allow


  • LAYER 8 Global Moderator

    LANnet  to WAN Address Allow

    So think about that rule for a second.. So you want to allow traffic to JUST pfsense wan IP.. What good is that??

    So you don't want lan to talk to wifi or voip but you want it to talk to internet..

    Then put in a block that say lan net to wifi net
    then put in a block that says lan net to voip block
    then your allow any any..

    Rules are looked top down first rule to fire wins..

    So if traffic from lan is to an IP on wifinet it would be block and done.
    If traffic is to voip same thing..
    If traffic is to say google.com that doesn't match either wifi or voip net then it would be allowed.



  • By way of explicit example, here is a block from my LAN to the neighbouring CAFE (wifi) network.



  • LAYER 8 Global Moderator

    Here are some more examples..

    So on my wlanguest.. I allow devices to ping the pfsense interface in wlanguest, I then block it from talking to any address on any port for the pfsense (this firewall).  I then allow it to talk ipv4 to anything as long as is not in any of my other networks..  The dhcp server hands out public dns for my wlan guests..  So other than being able to verify it can talk to pfsense via icmp echo req, wlan guests are blocked from talking to pfsense or anything else on my network.. Nor can it talk ipv6..

    Now on my normal wifi network wlan..
    I let my ipad do whatever it wants ;) 
    clients can ping pfsense wlan ip address both ipv4 and v6.  They can talk to my ntp server in my lan (should prob allow ipv6 on that since it does listen on ipv6 as well)
    They can use pfsense wlan address for dns.
    I allow my AP to talk radius to the wlan pfsense IP (should prob limit that source to the actual AP IPs - but been playing multiple AP so are not static, after will lock)
    I then block both ipv4 and ipv6 to any other firewall interface.
    I then allow them to do anything else they want as long as its not to my lan network.. So they could talk to dmz for example, they could talk to wlan guest, etc..

    You will notice in the alias localsIPv4 that it also includes the wlan guest segment.. that would never come into play but its in the alias so I can use it on any interface to include all my local networks.

    If you have any questions just ask..  Remember rules are top down and evaluated on the interface the traffic would be seen inbound to pfsense from.. Unless your doing floating where you can set in or outbound.. But those are for more advanced sort of rules.






  • When creating rules I have some rules that allow traffic to the internet for the phone network and there is Wifi network where i uses proxy server for traffic to block kids to bad sites. I'm confused on what to set the setting to block traffic between voip and wifi and lan traffic only allowing traffic from wifi to internet and phone to internet






  • @chain:

    I'm confused on what to set the setting to block traffic between voip and wifi and lan traffic only allowing traffic from wifi to internet and phone to internet

    Think logically, reading the rules from top down and apply each rule in turn until you find a rule which matches your scenario. It doesn't have to be difficult. And if you want your PHONE network to have internet access you might want to include rules to allow HTTP and HTTPS traffic. If that's what you're trying to acheive, that is.


  • LAYER 8 Global Moderator

    What part do you not understand about ! your networks allowing anything else?

    Or from voip you block to lan and wifi and then allow any

    As muswellhillbilly stated - think logically as you go down the rules..  Top to bottom..

    Curious why you have block rules on the end, there is a DEFAULT block, you putting those rules since your not logging them you will not see the traffic that is blocked…

    Also curious why you you think you need to be so restrictive on your wifi, if your using a proxy - it doesn't use DNS. Proxy is what does the dns query.  What is in your outside address alias??  A bunch of stuff, 1 IP?  Your public IP??  It doesn't work like that!!

    I really would just do basic before you try blocking everything..  use simple block to lan, block to voip on your wifi and then once that is working how you want you can get more restrictive with it..


Log in to reply