Netgate SG-1000 microFirewall

Author Topic: Simple Firewall rule confusion?  (Read 247 times)

0 Members and 1 Guest are viewing this topic.

Offline FroToast

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Simple Firewall rule confusion?
« on: May 30, 2017, 06:52:33 pm »
Hi,

So I'm new to PFSense and I'm wondering about the firewall rules. So I just have a few questions.

In the Firewall rules tab: IE: Firewall>Rules>(name of Interface).
You're allowed to create a Source for your rule. But since ur already on the tab that corresponds to the interface you're managing, why would you use the source for?

For instance, If I put a * for source and WAN net for Destination to allow only internet access, it does not work. Why is that?

Or inversely, If I put an (Interface name) for source and WAN net for the destination, it does not work either.

(Refer to pictures attached below)

Offline FroToast

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Simple Firewall rule confusion?
« Reply #1 on: May 30, 2017, 06:55:15 pm »
Also, if it helps, I'll give a little bit of context.

I have a subnet setup for those renting the downstairs and sharing the same connection with us. I want to separate them from our local network. Therefore, want to allow only their subnet to access the internet.

Offline ptt

  • Hero Member
  • *****
  • Posts: 2187
  • Karma: +365/-45
    • View Profile
Re: Simple Firewall rule confusion?
« Reply #2 on: May 30, 2017, 07:01:40 pm »
Hi,

So I'm new to PFSense and I'm wondering about the firewall rules. So I just have a few questions.

In the Firewall rules tab: IE: Firewall>Rules>(name of Interface).
You're allowed to create a Source for your rule. But since ur already on the tab that corresponds to the interface you're managing, why would you use the source for?


Because you maybe  need/want to "Block/Pass" only one Host/IP (or alias)  ;)





For instance, If I put a * for source and WAN net for Destination to allow only internet access, it does not work. Why is that?


Because "WAN Net" != "Internet"



Please Check the Docs


https://doc.pfsense.org/index.php/Firewall_Rule_Basics

https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

Offline Harvy66

  • Hero Member
  • *****
  • Posts: 1991
  • Karma: +162/-11
    • View Profile
Re: Simple Firewall rule confusion?
« Reply #3 on: June 02, 2017, 10:03:00 am »
WAN Net is the subnet for the WAN interface

Offline FroToast

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Simple Firewall rule confusion?
« Reply #4 on: June 19, 2017, 07:18:02 pm »
Hi,

Sorry for the late reply, I was away from home for a while.

Thanks for your response!

So I just have a few questions,

The source in a firewall rule would only apply to that interface it is created for. IE: I create a Rule for the LAN1 tab, that would not affect LAN2.
Because, I notice there is an option to set the source to another subnet, even though you're creating a rule for one specified interface. Which in turn only manages one subnet.


Could you elaborate what you mean by WAN Net =! internet. Because I'm wondering if it is possible to just create a rule to allow a subnet only to the internet rather than blocking every other subnet?
And by that picture, I've attached, it doesn't look like it.

This isn't a huge deal, nontheless I feel like it makes sense to ask.

Edit: Change post to be easier to understand.


« Last Edit: June 20, 2017, 12:07:20 am by FroToast »

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 12661
  • Karma: +1103/-108
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Simple Firewall rule confusion?
« Reply #5 on: June 19, 2017, 07:35:10 pm »
"That's why I would like to ask you to elaborate on why Wan != Internet."

So what does lan net = ??  192.168.1.0/24 or whatever you made your lan... What does does OPT1 net = 172.16.0.0/23 ??

So why would you think wan "net" would be anything other than the network on your wan interface..  Mine is 24.13.x.x/21 -- so that is the network for wan net, not the itnernet..

As to why you can pick the source as gone over maybe you want a rule for 192.168.1.14 as the source on that rule, or maybe you have downstream networks and this interface is just a transit network to some downstream router, or maybe its your enterprise network that is everything under the sun for rfc1918 space?  So you could just put any, if its a transit the net prob a /30 or maybe a /29 so that "net" is pretty small.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- If I have helped you and want to help back, https://www.freebsdfoundation.org/donate/
- Please don't PM me for personal help, info you don't want public sure. Link to thread you would like me to look at ok, etc.
1x SG-2440 2.3.3_p1 (work)
1x 2.4.0-BETA Jun 21 01:52:48 VM running on esxi 6.5 (home)

Offline FroToast

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Simple Firewall rule confusion?
« Reply #6 on: June 20, 2017, 12:03:10 am »
Look, I didn't mean to sound presumptuous, I'm just wondering the difference between WAN and Internet that he was referring to.

I am not following you right now. I sense a bit of urgency in your words. I would appreciate it if you would explain in full and clear sentences.

I do not know what you're referring to when you colloquially type out your post as such.

So what does lan net = ??  192.168.1.0/24 or whatever you made your lan... What does does OPT1 net = 172.16.0.0/23 ??

As to why you can pick the source as gone over maybe you want a rule for 192.168.1.14 as the source on that rule, or maybe you have downstream networks and this interface is just a transit network to some downstream router, or maybe
its your enterprise network that is everything under the sun for rfc1918 space?  So you could just put any, if its a transit the net prob a /30 or maybe a /29 so that "net" is pretty small.

I am not an advanced user, thus, I could not pick up on what you are saying.

"So why would you think wan "net" would be anything other than the network on your wan interface.."
The WAN interface is bridged through my modem to the "internet" Therefore, I assumed that if I create a firewall rule with this source(LAN Net) and this destination (WAN Net), My users on that subnet would be able to connect to the internet. Please refer to the picture in my opening post.


Offline johnpoz

  • Hero Member
  • *****
  • Posts: 12661
  • Karma: +1103/-108
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Simple Firewall rule confusion?
« Reply #7 on: June 20, 2017, 05:01:35 am »
"this destination (WAN Net)"

No that dest is exactly that lets say yours is 1.2.3.0/24 is your public IP.. Are they going to there??  No they are going to some other IP on the internet 8.8.8.8, 4.4.4.4, etc.. 5.6.7.8

They are not dest to your WAN NET..
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- If I have helped you and want to help back, https://www.freebsdfoundation.org/donate/
- Please don't PM me for personal help, info you don't want public sure. Link to thread you would like me to look at ok, etc.
1x SG-2440 2.3.3_p1 (work)
1x 2.4.0-BETA Jun 21 01:52:48 VM running on esxi 6.5 (home)