Want to block a network to interface groups



  • hi all,

    i have created 4 NICS (each NIC is for a different vlan) and for each NIC i have created firewall rules to pass any proto to any source and any dest

    now one of the NICS i DONT want it to talk to any other NICs

    how is this possible to do please

    cheers

    rob



  • how is this possible to do please

    Either remove/edit the rule that allows the access or create a new rule that specifically blocks access.  All of your interfaces are listed under Destination Type.



  • Thanks for all your input another question is

    I told you i had 4 nics and for those nics it automatically creates new firewall rule tabs for each of those interfaces

    Lets say on one of the tabs (interfaces)  i create a rule for any proto to any source to any dest,  now will this rule affect the other networks (interfaces)  or will it only affect the interface  i assigned it to

    Ie can i create all my rules for all networks under one interface tab as i noticed the source/dest drop down box has got all my interfaces ie networks but at the top where it says what interface do you want to select this rule for this is what im bit suspicious about

    Cheers

    Rob



  • now will this rule affect the other networks (interfaces)  or will it only affect the interface  i assigned it to

    Rules are applied on traffic entering an interface, so any rule you create will only directly affect that network.  For example, if you place a rule on the VLAN10 tab (just making one up), it would affect all traffic coming from clients on the VLAN10 subnet as it enters the pfSense VLAN10 interface.  Firewall rules block traffic coming into an interface, not going out of the interface.  You have to think of it as traffic goes IN to the pfSense interface from the subnet, traffic flows OUT of the pfSense interface to the subnet.



  • thanks guys for all your help,

    i have 4 tabs and they are all my network interfaces, and i have made a interface group called "house" which consists of "staff/servers/old_staff", the clients interface is on its own and seperate network

    i attach my screenshot of my clients tab

    the last bottom rule where i have set clients net to talk to any port and any destination, am i right in thinking it will only talk to the internet and NOT the other networks interfaces, or do i need to create a rule for that

    basically i want it to talk to the internet but NOT to ANY of the other networks




  • Your last rule is allowing everything on CLIENTS to talk everywhere, including your other LANs.



  • Ok how do i go about it then ie to block the client net accessing the house networks



  • More than one way to do it.  Rules are processed top-down, first-match.  Try:

    Block IP4 All from CLIENTS net to OLD_STAFF net
    Block IP4 All from CLIENTS net to STAFF net
    Block IP4 All from CLIENTS net to SERVERS net
    Allow IP4 All from CLIENTS net to *


  • LAYER 8 Netgate

    Your rules are all hosed.

    First you are blocking to this firewall but only TCP so UDP, etc will be passed by the last rule. You probably want any.

    Second you are passing DNS but only TCP. You probably want TCP/UDP.

    In general, when you make a guest network you:

    • Pass traffic to specific local assets they need like Email and DNS

    • Reject traffic to more general local assets you don't want them to access like LAN, DMZ, and This firewall

    • Pass traffic to any any (the internet)

    https://doc.pfsense.org/index.php/Firewall_Rule_Basics

    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

    https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order



  • mmm, doesnt work

    i can still ping my private network

    heres a detail of my network and i attach a screenshot of my rules

    interface groups -

    allintf - old staff, clients, staff, servers

    aliases -

    allnet - 172.16.8.0/21, 172.16.24.0/24, 10.10.20.0/23, 172.17.4.0/22

    privatenet - 172.16.8.0/21, 172.16.24.0/24, 10.10.20.0/23

    my vm as you can see can ping my private network ip, my vm is on the client interface with ip 172.17.6.146



  • LAYER 8 Netgate

    Why are you messing around with floating rules? Posting that screenshot tells us nothing. We have no idea what interfaces and directions you applied the rule to, and no idea if quick is enabled.

    All of this matters.

    Forget about saving time with an interface group and just put the rules on the interfaces where they belong.

    After you get it working, look at implementing your management shortcuts.



  • sorted it!!!

    i also made clients net part of the PrivateNet



  • LAYER 8 Netgate

    Not how I'd do it but glad it's working for you. I think you're putting WAY too much emphasis on doing this on an interface group.


Log in to reply