Review my firewall rules for guest wifi/captive portal



  • So I have this currently setup for my guest wifi/captive portal which is set with open auth and just using vouchers.

    Do I need anymore rules?



  • You're not being clear with what you want to achieve..
    No one can tell you what you should do if you didn't tell them exactly what you want to happen. aha
    If you don't need any specifications w/ the captive portal, you don't need to make new rules on the firewall. :)



  • @FlashEngineer:

    So I have this currently setup for my guest wifi/captive portal which is set with open auth and just using vouchers.

    Do I need anymore rules?

    "I'm driving my car from my house to my local shop and have four litres of petrol in the tank."

    "Will I need any more gasoline?"

    Taking the above comment as an example, I've left out a wealth of information: How many mpg does my car do? How far is it from my house to my shop? Do I rev the engine a lot during the journey? Will loading my car with groceries/people have an effect on my petrol use?

    I think you get the point.


  • Netgate

    That all looks pretty good.

    I'll go on record, again, saying I don't like the pass !RFC1918 rule.

    I'd prefer a Reject dest RFC1918 followed by a pass any any.

    Something about blocking traffic with a pass rule just doesn't sit right with me. If you want to block it, block it.



  • OP,

    It looks like you have IPv6 configured, in which case you are blocking guest traffic to RFC1918, but not to your internal IPv6 block, if it exists.

    I agree with Derelict, not a fan of the !RFC1918 rule.  Go with a 'IPV4 BLOCK ANY to RFC1918', 'IPv6 BLOCK ANY to MYIPv6SPACE', followed by a 'IPv4+IPv6 PERMIT ANY to ANY' rule.

    …ct




  • @Derelict:

    That all looks pretty good.

    I'll go on record, again, saying I don't like the pass !RFC1918 rule.

    I'd prefer a Reject dest RFC1918 followed by a pass any any.

    Something about blocking traffic with a pass rule just doesn't sit right with me. If you want to block it, block it.

    Hmm that makes sense.

    So if I just put another rule:  BLOCK all traffic net to RF1918.  Then the last line, I need to modify it to just pass any for internet access?


  • Netgate

    You probably still want to block any to This firewall (self) after you pass the services on the firewall they need to access like DNS and ICMP.

    I guess the above is really directed @cthomas. How does it go over with the users only allowing TCP/80?

    Sorry. Looking at the wrong set of rules. Probably time to post what you have after you make the RFC1918 change.



  • Attached.

    I guess the last line I can remove the !RFC1918 and just put *.



  • Netgate

    @FlashEngineer:

    Attached.

    I guess the last line I can remove the !RFC1918 and just put *.

    That's what I would do. I've seen people call it "extra insurance" but I think it just makes the rule set harder to understand.

    I take it Chromecasts are in RFC1918?

    And for things like this I like reject rules over block rules. Nice for applications to get immediate, proper responses instead of just hanging until they time out.



  • Yup Chromecast is just on another vlan.

    So which types of rules would you use block vs reject?  How about the firewall access one?

    @Derelict:

    @FlashEngineer:

    Attached.

    I guess the last line I can remove the !RFC1918 and just put *.

    That's what I would do. I've seen people call it "extra insurance" but I think it just makes the rule set harder to understand.

    I take it Chromecasts are in RFC1918?

    And for things like this I like reject rules over block rules. Nice for applications to get immediate, proper responses instead of just hanging until they time out.


  • Netgate

    Generally if I'm filtering connections coming from inside, I reject. From outside, I block.



  • @FlashEngineer
    Are you able to get apps to cast to your Chromecast across VLANs? That doesn't work for me even with the Firewall rule between them totally open. The Chromecast can be pinged, but apps like Google Cast and YouTube don't find them.

    Are your VLANs on different subnets or just different pools within the same subnet?



  • @gfvalvo:

    @FlashEngineer
    Are you able to get apps to cast to your Chromecast across VLANs? That doesn't work for me even with the Firewall rule between them totally open. The Chromecast can be pinged, but apps like Google Cast and YouTube don't find them.

    Are your VLANs on different subnets or just different pools within the same subnet?

    Different VLANs

    You need to install the AVAHI package and turn on the option "Enable Reflector Reflect incoming mDNS requests to all local network interfaces (Default: enabled)"

    Select the VLANs you don't want avahi running, then your deivces will find chromecast and other stuff like printers etc.



  • Newbie Questions

    1. Looking to follow guidelines from this post. I'm assuming 'RFC1918' is an alias? If so, please share screen shot of your definition.

    2. Won't blocking RFC1918 also block access to 'This Firewall"? If so, need that be done explicitly?

    3. Assuming Psfsense is the DHCP server for this interface, are no other explicit 'Pass' rules required for clients to get their IP address?

    Thanks.

    Greg



  • @gfvalvo:

    Newbie Questions

    1. Looking to follow guidelines from this post. I'm assuming 'RFC1918' is an alias? If so, please share screen shot of your definition.

    2. Won't blocking RFC1918 also block access to 'This Firewall"? If so, need that be done explicitly?

    3. Assuming Psfsense is the DHCP server for this interface, are no other explicit 'Pass' rules required for clients to get their IP address?

    Thanks.

    Greg

    1. RFC1918 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
    2. Yes. No.
    3. When you turn on DHCP Server, pfSense makes a firewall PASS rule for this automatically. Unfortunately it is a hidden firewall rule, so you won't see it in the firewall rules list. Sidebar - these hidden rules are a pet peeve of mine, I hate that they don't show up in the list…



  • @FlashEngineer:

    @gfvalvo:

    @FlashEngineer
    Are you able to get apps to cast to your Chromecast across VLANs? That doesn't work for me even with the Firewall rule between them totally open. The Chromecast can be pinged, but apps like Google Cast and YouTube don't find them.

    Are your VLANs on different subnets or just different pools within the same subnet?

    Different VLANs

    You need to install the AVAHI package and turn on the option "Enable Reflector Reflect incoming mDNS requests to all local network interfaces (Default: enabled)"

    Select the VLANs you don't want avahi running, then your deivces will find chromecast and other stuff like printers etc.

    This is helpful, thanks.  Could you post your VLAN layout?  I'm setting up Admin/Private/CC/Guest network and am curious how others have done this.