Netgate SG-1000 microFirewall

Author Topic: 3 Problems for a newby using pfsense: NAT, Internal Access, and Internet Access  (Read 417 times)

0 Members and 1 Guest are viewing this topic.

Offline jahonix

  • Hero Member
  • *****
  • Posts: 2444
  • Karma: +146/-14
  • volunteer since 2006
    • View Profile
Slow, one problem at a time. Don't jump to other stuff before the first is solved (and understood).

As a guess though, I think I need to change the order of the rules you mention?
What?
You described your DMZ rule as:
> Logic says ... the destination should be WAN net.
and that destination is wrong. WAN net is the transit network between your WAN interface and your provider's gateway. Nothing more, especially not "the internet".

I described your DMZ rules in words. Can you understand that or do you need the rules written?


Squid off: (Direct ISP) 180 - 210Mbps
Squid on: (Direct ISP) 5 - 12Mbps
Squid off: (VPN On) 40 - 60Mbps
Squid on: (VPN On) often unable to perform a speed test.

Any idea why this might be?
No idea.


... three SSID's ... VLANs ... through separate VPN connections ... adding the tags to the interfaces (Ovpn2) ...
... or is this subject for another topic?
Definitely worth another topic.
Chris

The issue with IPv6 jokes is that almost no one understands them and no one is using them yet.

Offline karldonteljames

  • Newbie
  • *
  • Posts: 17
  • Karma: +1/-0
    • View Profile
Ok, so I've spent the last couple of lunchtimes trying to get my head around subnetting and understanding the "/24" part at the end of an IP address and I've got my head around that now (I think.)

If I change the DMZ outbound rule, and set the destination to "any" the DMZ machines can access the internet. As I have a rule that blocks the DMZ from LAN I believe I could leave it like that and everything would work ok.

I don't really want to set a rule that allows all, then another to block DMZ to LAN; I would much rather set a rule that allows DMZ to access the internet only.

Below are the DMZ rules and NAT config.





Offline karldonteljames

  • Newbie
  • *
  • Posts: 17
  • Karma: +1/-0
    • View Profile
I've spent this evening reading and re-reading your post, then having a play with the rules. I think I've got this now, please correct me if I wrong.

if I put the rules in this order with the following settings.
1) deny DMZ to LAN first it will block it if anything tries to access the LAN from the DMZ.
2) allow HTTPS and HTTP to all destinations and set the gateway to either default to one of my open VPN clients, it will have access to the internet but as it is processed AFTER the deny rule, won't affect anything going to the LAN

Enable "Block private networks and loopback addresses" and "Block bogon networks" on all interfaces except LAN.

Thanks.

Karl

Offline jahonix

  • Hero Member
  • *****
  • Posts: 2444
  • Karma: +146/-14
  • volunteer since 2006
    • View Profile
I don't really want to set a rule that allows all, then another to block DMZ to LAN; I would much rather set a rule that allows DMZ to access the internet only.
Problem is that you cannot define "the internet" in an alias or CIDR notation.
You could make a single rule with a negotiation "allow all but LAN" with the "NOT" checkbox. Deny LAN will finally catch with the hidden/invisible "block everything else" rule at the bottom of your ruleset. Problem is that such a rule implies something that is not expressively written and thus makes it hard to understand what you were doing in future reviews/changes. With two separate rules it's obvious and visible.


I think I've got this now, please correct me if I wrong.
Nothing to correct, well done! And I mean really well done. You learned a lot, didn't you!

Enable "Block private networks and loopback addresses" and "Block bogon networks" on all interfaces except LAN.
That's usually not really needed and if you use it then that'll be on WAN at best. The "Bogon" part can come handy there but better ISP filter that anyways. Except for edge-cases you will not have traffic from private IPs to your WAN anyways.
On local interfaces the "Block private networks" can do more harm than good. All local interfaces usually belong to private networks, aka  RFC1918.
Chris

The issue with IPv6 jokes is that almost no one understands them and no one is using them yet.