Netgate SG-1000 microFirewall

Author Topic: Allow subnet A to initiate connections to subnet B, but not the other way around  (Read 230 times)

0 Members and 1 Guest are viewing this topic.

Offline genericname34

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Okay, so I have a small ESXi home server on which I run pfSense with a few Internet accessible VMs on it.
Right now the public VMs are on a fully isolated network from my LAN and can only go to the internet.

However I would want to be able to initiate connections from the PC to the VM for faster local uploads, but not have it the other way around. Like below.



I know this is possible to do with states in iptables, but I was not able to find an equivalent in pfSense.
Can anyone point me in the right direction?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9098
  • Karma: +1037/-307
    • View Profile
Sure. Don't pass connections to LAN on Public VMs interface.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14299
  • Karma: +1331/-194
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Post up your public VMs interface firewall rules on pfsense, and your Lan rules and we can discuss.  But as Derelict stated already its simple rule on the publicVM rules to block them from starting conversations with LAN network.. If you allow LAN to talk to publicVMs network on the lan rules or have a ANY rule then they would be able to start conversations with the devices on that network and either upload or download stuff, etc.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.2-RELEASE on VM esxi 6.5 (home)

Offline genericname34

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Huh, coming from DD-WRT and iptables where I had to fiddle around with the firewall script and RELATED, ESTABLISHED states, I expected it would be more difficult.
It's nice to see pfSense is smart to keep track of connections under the hood.

Anyway, here are the firewall screenshots if anyone else will seek such a configuration in the future.





Thanks, Derelict and johnpoz!

Offline KOM

  • Hero Member
  • *****
  • Posts: 5370
  • Karma: +668/-19
    • View Profile
Your first rule under LAN is unnecessary since the rules below it will pass all traffic to anywhere.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14299
  • Karma: +1331/-194
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Also your blocking access to the firewall will prevent it from using pfsense as dns.  Are you public VMs pointing to something else for dns?

On my more restrictive vlans..  I normally allow access to ping the pfsense interface for simple connectivity check.  And allow dns to the pfsense interface in that vlan to allow them to use pfsense as dns.  Then the block all to this firewall rule.

Your rules are fine if you really don't want those vms to even be able to ping or use pfsense as dns.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.2-RELEASE on VM esxi 6.5 (home)

Offline genericname34

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Ah, thanks for the tip, I removed that rule now.

And yeah, I usually just put Google DNS in resolver.conf of all my servers. I guess for troubleshooting it could be useful to be able to ping the pfSense interface, I might switch to just blocking an alias of ports 22 and 80 from the VM subnet.

Again thanks for the help guys, I'm really loving pfSense so far and the community as well! :D

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14299
  • Karma: +1331/-194
  • Not a pfSense employee, they cannot fire me...
    • View Profile
"I usually just put Google DNS in resolver.conf of all my servers."

Why not point to pfsense, would be running a resolver out of the box.  So now you get advantage of dnssec...  And your local devices could resolve themselves by name, and you would have a local cache that all your machines could use.

This way device 1 looks up www.domain.tld, when device 2 goes to look it up few minutes/seconds later - don't have to go out to the public to find the info from googledns again.  Its local cached on pfsense.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.2-RELEASE on VM esxi 6.5 (home)

Offline genericname34

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
I suppose I could do that, I'll add a rule for the DNS port the next time I'll be messing with it.
Thanks!