Want to block a network to interface groups

robina80 · Dec 4, 2015, 9:56 AM

hi all,

i have created 4 NICS (each NIC is for a different vlan) and for each NIC i have created firewall rules to pass any proto to any source and any dest

now one of the NICS i DONT want it to talk to any other NICs

how is this possible to do please

cheers

rob

KOM · Dec 4, 2015, 3:13 PM

how is this possible to do please

Either remove/edit the rule that allows the access or create a new rule that specifically blocks access. All of your interfaces are listed under Destination Type.

robina80 · Dec 5, 2015, 6:27 PM

Thanks for all your input another question is

I told you i had 4 nics and for those nics it automatically creates new firewall rule tabs for each of those interfaces

Lets say on one of the tabs (interfaces) i create a rule for any proto to any source to any dest, now will this rule affect the other networks (interfaces) or will it only affect the interface i assigned it to

Ie can i create all my rules for all networks under one interface tab as i noticed the source/dest drop down box has got all my interfaces ie networks but at the top where it says what interface do you want to select this rule for this is what im bit suspicious about

Cheers

Rob

KOM · Dec 6, 2015, 2:01 AM

now will this rule affect the other networks (interfaces) or will it only affect the interface i assigned it to

Rules are applied on traffic entering an interface, so any rule you create will only directly affect that network. For example, if you place a rule on the VLAN10 tab (just making one up), it would affect all traffic coming from clients on the VLAN10 subnet as it enters the pfSense VLAN10 interface. Firewall rules block traffic coming into an interface, not going out of the interface. You have to think of it as traffic goes IN to the pfSense interface from the subnet, traffic flows OUT of the pfSense interface to the subnet.

robina80 · Dec 8, 2015, 4:38 PM

thanks guys for all your help,

i have 4 tabs and they are all my network interfaces, and i have made a interface group called "house" which consists of "staff/servers/old_staff", the clients interface is on its own and seperate network

i attach my screenshot of my clients tab

the last bottom rule where i have set clients net to talk to any port and any destination, am i right in thinking it will only talk to the internet and NOT the other networks interfaces, or do i need to create a rule for that

basically i want it to talk to the internet but NOT to ANY of the other networks

KOM · Dec 8, 2015, 6:13 PM

Your last rule is allowing everything on CLIENTS to talk everywhere, including your other LANs.

robina80 · Dec 8, 2015, 6:49 PM

Ok how do i go about it then ie to block the client net accessing the house networks

KOM · Dec 8, 2015, 7:00 PM

More than one way to do it. Rules are processed top-down, first-match. Try:

Block IP4 All from CLIENTS net to OLD_STAFF net
Block IP4 All from CLIENTS net to STAFF net
Block IP4 All from CLIENTS net to SERVERS net
Allow IP4 All from CLIENTS net to *

Derelict · Dec 8, 2015, 8:15 PM

Your rules are all hosed.

First you are blocking to this firewall but only TCP so UDP, etc will be passed by the last rule. You probably want any.

Second you are passing DNS but only TCP. You probably want TCP/UDP.

In general, when you make a guest network you:

Pass traffic to specific local assets they need like Email and DNS
Reject traffic to more general local assets you don't want them to access like LAN, DMZ, and This firewall
Pass traffic to any any (the internet)

https://doc.pfsense.org/index.php/Firewall_Rule_Basics

https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

robina80 · Dec 9, 2015, 5:03 PM

mmm, doesnt work

i can still ping my private network

heres a detail of my network and i attach a screenshot of my rules

interface groups -

allintf - old staff, clients, staff, servers

aliases -

allnet - 172.16.8.0/21, 172.16.24.0/24, 10.10.20.0/23, 172.17.4.0/22

privatenet - 172.16.8.0/21, 172.16.24.0/24, 10.10.20.0/23

my vm as you can see can ping my private network ip, my vm is on the client interface with ip 172.17.6.146

Derelict · Dec 9, 2015, 5:23 PM

Why are you messing around with floating rules? Posting that screenshot tells us nothing. We have no idea what interfaces and directions you applied the rule to, and no idea if quick is enabled.

All of this matters.

Forget about saving time with an interface group and just put the rules on the interfaces where they belong.

After you get it working, look at implementing your management shortcuts.

robina80 · Dec 10, 2015, 10:46 AM

sorted it!!!

i also made clients net part of the PrivateNet

Derelict · Dec 10, 2015, 6:52 PM

Not how I'd do it but glad it's working for you. I think you're putting WAY too much emphasis on doing this on an interface group.