Netgate SG-1000 microFirewall

Author Topic: Firewall Rule Help  (Read 400 times)

0 Members and 1 Guest are viewing this topic.

Offline Stewart

  • Full Member
  • ***
  • Posts: 279
  • Karma: +16/-2
    • View Profile
Firewall Rule Help
« on: December 20, 2017, 04:38:26 pm »
I have a device with 3 ports configured:  WAN (static public IP w/ 500Mbps fiber), LAN1 (192.168.10.1), and LAN2 (192.168.20.1).  LAN1 and LAN2 both need internet access.  LAN1 needs to access devices on LAN2 (specifically 192.168.20.4 which is the DVR).  LAN2 should not be able to access devices on LAN1.

Here are my rules:  (I'll edit until they are readable.  Not sure how to get them to display nicely.)

WAN:
Code: [Select]
ID Proto Source Port Destination Port Gateway Queue Schedule Description
Blck   * RFC 1918 networks * * * * *   Block private networks
Blck   * Reserved/not assigned by IANA * * * * * * Block bogon networks

LAN1:
Code: [Select]
ID Proto Source Port Destination Port Gateway Queue Schedule Description
Pass   * * * LAN1 Address 80 9022 * *   Anti-Lockout Rule
Blck   IPv4* LAN2net * LAN1 net * * none   Block LAN2
Pass   IPv4* LAN1net * * * * none   Default allow LAN1 to any rule
Pass   IPv4* * * 192.168.20.4 * * none   DVR

LAN2:
Code: [Select]
ID Proto Source Port Destination Port Gateway Queue Schedule Description
Pass   IPv4* LAN2net * * * * none   Default allow LAN2 to any rule 
Pass   IPv4* LAN1net * * * * none   LAN1 Connection
Pass   IPv4* 192.168.20.4 * * * * none   Allow All 
I know it isn't right since LAN2 has access to LAN2 but when I try to set it up the right way LAN2 doesn't get any internet access.  What changes can I make so that LAN1 and LAN2 can get out to the internet and LAN1 has access to LAN2 but LAN2 doesn't have access to LAN1?  Thanks for any help!

Edit:  Hope it's readable now!
« Last Edit: December 20, 2017, 04:59:44 pm by Stewart »

Offline viragomann

  • Hero Member
  • *****
  • Posts: 2830
  • Karma: +312/-1
    • View Profile
Re: Firewall Rule Help
« Reply #1 on: December 20, 2017, 05:48:03 pm »
Firwall rules are applied on the incoming interface. So a rule with source = LAN2net on LAN1 interface will not have any effect.

Your rule set may look like this way:

LAN1:
Code: [Select]
          ID       Proto       Source     Port     Destination       Port       Gateway        Queue       Schedule        Description
Pass               *           *          *        LAN1 Address      80 9022    *              *                           Anti-Lockout Rule
Pass               IPv4*       LAN1net    *        192.168.20.4      *          *              none                        DVR
Block              IPv4*       *          *        RFC1918           *          *              none                        Block internal networks
Pass               IPv4*       LAN1net    *        *                 *          *              none                        Default allow LAN1 to any rule

LAN2:
Code: [Select]
          ID       Proto       Source     Port     Destination       Port       Gateway        Queue       Schedule        Description
Block              IPv4*       *          *        RFC1918           *          *              none                        Block internal networks
Pass               IPv4*       LAN2net    *        *                 *          *              none                        allow Internet

RFC1918 is an alias which includes all RFC 1918 networks. This will still be save if you add an additional private network in the future.

Offline Stewart

  • Full Member
  • ***
  • Posts: 279
  • Karma: +16/-2
    • View Profile
Re: Firewall Rule Help
« Reply #2 on: December 21, 2017, 12:59:29 pm »
Interesting.  I didn't know about using RFC1918 as an alias to block internal networks.  I tried just using * but it didn't do what I wanted.  I'll give it a shot.

Edit:  Using RFC1918 results in an error of "RFC1918 is not a valid destination IP address or alias."  Is it an alias I need to create?
« Last Edit: December 21, 2017, 01:03:13 pm by Stewart »

Offline KOM

  • Hero Member
  • *****
  • Posts: 5835
  • Karma: +711/-23
    • View Profile
Re: Firewall Rule Help
« Reply #3 on: December 21, 2017, 01:06:09 pm »
Make your own similar alias using:

RFC1918
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
127.0.0.0/8

Offline Stewart

  • Full Member
  • ***
  • Posts: 279
  • Karma: +16/-2
    • View Profile
Re: Firewall Rule Help
« Reply #4 on: December 21, 2017, 01:11:39 pm »
Make your own similar alias using:

RFC1918
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
127.0.0.0/8

Thanks.  I'd created an alias with just the 192.168.0.0/16 but you're right that it's a good idea to have them all in there.  Thanks!

Edit:  Wouldn't we then be saying to block even the subnet that it is on?  You're saying to block anything from that subnet going to a private IP of any subnet (including its own) then block it.  Would I then need a rule that says to allow from the LAN2 Net to LAN2 Net above the RFC1918 rule on the LAN2 Interface?  Like:
Code: [Select]
ID Proto Source Port Destination Port Gateway Queue Schedule Description
Pass   IPv4* LAN2net * LAN2Net * * none   Allow subnet to communicate on port

« Last Edit: December 21, 2017, 01:18:20 pm by Stewart »

Offline KOM

  • Hero Member
  • *****
  • Posts: 5835
  • Karma: +711/-23
    • View Profile
Re: Firewall Rule Help
« Reply #5 on: December 21, 2017, 01:19:02 pm »
Inter-LAN traffic doesn't hit the gateway, so pfSense would not be involved in those comms at all.  pfSense and the pf firewall only come into play when the traffic is leaving the network for another.

Offline Stewart

  • Full Member
  • ***
  • Posts: 279
  • Karma: +16/-2
    • View Profile
Re: Firewall Rule Help
« Reply #6 on: December 21, 2017, 02:13:40 pm »
Inter-LAN traffic doesn't hit the gateway, so pfSense would not be involved in those comms at all.  pfSense and the pf firewall only come into play when the traffic is leaving the network for another.

OK.  So it only affects if it goes across from one interface to another.  I thought the inspection happened as the packet was received. 

Offline KOM

  • Hero Member
  • *****
  • Posts: 5835
  • Karma: +711/-23
    • View Profile
Re: Firewall Rule Help
« Reply #7 on: December 21, 2017, 02:41:35 pm »
Hosts on the same subnet can find each other and talk to each other without needing a gateway.  The packets are routed directly unless the destination is outside the scope of the network (subnet mask), at which point they get sent to the default gateway instead.

Offline Stewart

  • Full Member
  • ***
  • Posts: 279
  • Karma: +16/-2
    • View Profile
Re: Firewall Rule Help
« Reply #8 on: December 21, 2017, 03:55:12 pm »
Hosts on the same subnet can find each other and talk to each other without needing a gateway.  The packets are routed directly unless the destination is outside the scope of the network (subnet mask), at which point they get sent to the default gateway instead.

What about logging into the router?  If I'm at 192.168.20.2 and the Router is 192.168.20.1 and I'm blocking all private traffic, wouldn't that request to connect to the router be rejected?

Offline viragomann

  • Hero Member
  • *****
  • Posts: 2830
  • Karma: +312/-1
    • View Profile
Re: Firewall Rule Help
« Reply #9 on: December 21, 2017, 04:30:11 pm »
That is what the "Anti-lockout rule" on LAN interface is for. As you have activated "Anti-lockout" in the System > Advanced > Admin access this rule is set and you can't delete it from the rule set.

So logging in to the Web-GUI is only possible from LAN network. If you want to restrict the access to only one or a few source IPs you have to create your own anti-lockout rule and remove the check from Anti-lockout.

Offline Stewart

  • Full Member
  • ***
  • Posts: 279
  • Karma: +16/-2
    • View Profile
Re: Firewall Rule Help
« Reply #10 on: December 22, 2017, 08:49:29 am »
Got it.  Thanks.  Looking back at the things I was doing wrong, it seems I was setting the right rules on the wrong interfaces or specifying the wrong interface source.  Thanks for all the help.