Allow all between interfaces
-
You need ping if you need ping. You don't if you don't.
I, personally, pass ping to the users' default gateway and DNS servers as a matter of courtesy in case someone clueful is trying to debug something.
I don't know why you don't pass what you want them to access then reject any to This firewall. Then reject any to RFC1918. Then pass any.
The only time what won't work is if you have subnets on public addresses then you'll need another alias for those.
I would love to see a Local subnets automatic alias like This firewall.
-
With Derelict here, this is right on target
Pass the local assets guest hosts need (DNS, etc)
Reject the local assets you don't want them to access (RFC1918, other VLANs, This firewall)
Pass everything else (The internet)There is never going to be a perfect setup that you can just clone because every setup is different.. If you don't understand the concepts even at a basic level and are just wanting to copy a config your in trouble. Maybe you should just stick with a off the shelf device that doesn't really even allow you control..
Out of the box pfsense does not provide authoritative name server, like bind can be authoritative.. dnsmasq (forwarder) and unbound (resolver) are not really meant to be authoritative for any domain. If what you want is an authoritative name server, then install the bind package in pfsense. Bind can then either forward or resolve. You don't seem to understand the difference between a forwarder and a resolver?? If that is the case your most likely going to be happy with just the forwarder. Your clients ask pfsense for www.google.com, it forwards that to the name servers you put in the general tab. Simple…
edit: forwarder not resolver, edited..
-
With Derelict here, this is right on target
Pass the local assets guest hosts need (DNS, etc)
Reject the local assets you don't want them to access (RFC1918, other VLANs, This firewall)
Pass everything else (The internet)There is never going to be a perfect setup that you can just clone because every setup is different.. If you don't understand the concepts even at a basic level and are just wanting to copy a config your in trouble. Maybe you should just stick with a off the shelf device that doesn't really even allow you control..
Out of the box pfsense does not provide authoritative name server, like bind can be authoritative.. dnsmasq (forwarder) and unbound (resolver) are not really meant to be authoritative for any domain. If what you want is an authoritative name server, then install the bind package in pfsense. Bind can then either forward or resolve. You don't seem to understand the difference between a forwarder and a resolver?? If that is the case your most likely going to be happy with just the resolver. Your clients ask pfsense for www.google.com, it forwards that to the name servers you put in the general tab. Simple…
It's a given there's never a perfect setup but I prefer starting from an example which most people use and work off from there. Doing from scratch I may miss a rule that should be in place. I understand the rules but just don't know which to apply want to make sure the order is correct.
Example I'm used to in ZS would be, everything is blocking between vlan but then I allow a rule for a single host or range to access another vlan's full subnet or just another single host. There isn't any need for "allow" **** in ZS so that's a new concept to me. Also in ZS, I don't need to allow DNS (53) in order to resolve internet addresses, since the way ZS works is with iptables, using the forwarding chain as the main filter between interfaces/vlans. Totally different concept, hence why I just wanted a example of rules most people use then I work off from there obviously.
-
so my example given would be a start, just leave out the ipad rule I have in place to allow my ipad to go where ever it wants.
-
so my example given would be a start, just leave out the ipad rule I have in place to allow my ipad to go where ever it wants.
Sounds good, so basically
client specific rules to allow
allow DNS
block webui
!RFC1918 disallows to any other local network but passes all other traffic to WANIn terms of blocking, is the last 2 sufficient on a guest only vlan?
-
depends! Are there some vlans you want the guest to talk to?
-
depends! Are there some vlans you want the guest to talk to?
Not for true guest, I want it basically strictly internet/wan only. There are some vlans I would permit some limited access to certain hosts on another vlan but that's easily done with the specific allow rules placed at the top of the list correct?
-
Don't get wrapped around the axle about blocking the webgui. Block everything to destination This firewall after passing what they need to have access to like DNS.
