Block outgoing OPT1 traffic to LAN but allow to the Internet



  • This has always seemed very strange to me.
    All incoming traffic is denied by default. That's ok.
    So if I have an OPT1 interface that I want to allow passing traffic to an OPT2 interface and block passing traffic to LAN.
    Simple. Create a rule on OPT1 that allows traffic to subnets/hosts which are on OPT2. Works fine.
    But suddenly someone says, "hey, give those guys on OPT1 access also to the Internet". That's when I am fried because I don't know how pfSense sees traffic as being "the Internet traffic". It's not the WAN address/subnet because that's literally the WAN address or subnet that the ISP assigns my WAN port and not the Internet.
    Some articles here in the forum mention the possibility to create an alias, use that alias to include all the destinations that I want to block and finally create a rule that allows traffic except (! not) that particular alias. That seems ingenious but to me it has a big flaw: if suddenly I add another interface (whether physical or vlan) I will also be adding other subnets to the environment and suddenly I have to go check all the alias in the system and make up my mind on if I want to include (or not) those new subnets on the negation aliases.
    When I have a small system with few aliases that's not a problem, but when I have more than 20 vlan's it's a big pain in the butt to keep track of everything.
    So, is there any other way around this? Preferably an easier one :)
    Thanks in advance



  • Just create an alias to private address space and use a not rule to that. It should work.


  • LAYER 8 Global Moderator

    As hugovsky has stated the way to do this if your worried about allowing traffic to future networks is to just use a rfci1918 space alias.  You put that on any vlan you create.. Now all vlans/local are blocked from all other vlans unless you make a specific rule that allows the traffic..  Which really is how it should be anyway..

    Big flaw?  Because pfsense doesn't have a alias for the internet??  Which is basically every single network other than rfc1918 space..  So because there is not a button for you to press that says internet access only..  Which I assume also allows access to pfsense for dns?  Should this button allow you to ping pfsense interface on that vlan/segment?  Maybe it should auto allow access to pfsense webgui on that interface, maybe there should be a checkbox next to the button for that.. Its a flaw??  Yeah ok…  Having to write the firewall rules how you want, is a flaw ;)

    If you want another way, just force your internet gateway on the rule that allows your traffic vs a any any rule with no gateway..  Which matches any network pfsense can get too.. Then the default block comes into play..

    You having to evaluate your firewall rules on every single vlan/segment would be part of the process of adding a new vlan/segment to your network anyway..



  • Thank you both, hugovsky and johnpoz, for your input on this matter.
    @johnpoz:

    Big flaw?  Because pfsense doesn't have a alias for the internet??

    Come on, I didn't say pfSense was flawed. If you read my post again you'll see that by "having a flaw" I was actually referring to the ingenious way that some seem to point to on how to work around my problem. That's all ;)
    So, apparently you guys seem to be saying that I should create an alias with rfc1918 space (10.0.0.0 - 10.255.255.255 , 172.16.0.0 - 172.31.255.255 , 192.168.0.0 - 192.168.255.255) and allow all traffic except (! not) that alias? And I should put that rule on top of every other rule inside each interface tab on the firewall rules section, right?
    Just making sure ;)
    TIA
    Cheers


  • LAYER 8 Global Moderator

    well no not exactly.. Since if you did that you would block access to pfsense interface on that in that segment.

    You would create the rules you want to allow which would go from top down to your other networks, pfsense, then you would use that NOT rule with that alias to allow access to stuff that is not on your local network.  Comes down to the details of your specific network, and what access you need/want to allow, etc..

    From these requirements you write the rules.. There is no magic button your press is the point.

    But yes an alias that has the rfc1918 space in it can be use to block access to your local network but allowing access to the internet when you don't want  to just use an any any or block your specific networks directly and then have any any..  There are multiple ways to skin the cat..

    You could also create alias with your networks in it and block that, then have any any that would allow internet, you cold allow the traffic you want then as stated already point all traffic out your internet gateway..

    Way I read your post is you think there should be something that says "internet only access"  Well my point is that is never the case, there are always other things to take into account..  So no there is no magic button that you press or special rule that you create that allows access to the internet.  You need to go over your specific requirements and write the rules to reflect those requirements.

    If you want specific example.. State what you need and details of your network and we can post up some example rules..


Log in to reply