Netgate SG-1000 microFirewall

Author Topic: Is this Right?  (Read 147 times)

0 Members and 1 Guest are viewing this topic.

Offline Ximulate

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Is this Right?
« on: April 14, 2018, 03:14:28 pm »
Please let me know if I got this right, or what could be done better. Here's what I'm trying to do:

1) Block internet access for select devices on the LAN. I've created an alias for those devices (cls_NoInternet). Alternatively , I could create an alias of devices that need internet access and block all others (it doesn't matter to me which approach. whatever works best).

2) Devices with internet access should only be able to access destinations in approved regions. Using pfBlockerNG, I've created an "Alias Permit" and the corresponding firewall rule below.

3) Also using the DNSBL feature of pfBlockerNG with various block lists. So, I've created rules to block all port 53 requests except the pfSense DNS resolver.

Here's what I've done (screenshot):


Offline chpalmer

  • Hero Member
  • *****
  • Posts: 1822
  • Karma: +96/-3
    • View Profile
    • Home of Cablenut
Re: Is this Right?
« Reply #1 on: April 14, 2018, 05:59:10 pm »
Nope

On the LAN interface your source would be LAN Net
P.S. statements made by me are not necessarily condoned by the management of this fine organization.  http://badmodems.com

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15753
  • Karma: +1472/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Is this Right?
« Reply #2 on: April 15, 2018, 09:19:59 am »
Dest of lan net from lan is pointless..

So you want your device on lan to only go to places that are in NAmerica.. Wow that is going to limit your internet ;)

The only reason to change your source to any on lan would be if you have downstream networks using the lan as a transit.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline Ximulate

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Re: Is this Right?
« Reply #3 on: April 16, 2018, 08:25:06 am »
Thank you. Does this look better?

This particular network isn't for general internet browsing, so NA is fine for starters. I may tweak the allowed destinations over time, and or install snort.