Help with writing a pfSense rule

Astraea · September 5, 2020, 10:18pm

I am doing som network reorganization and clean up today and want to make sure I have my head on straight with how I am doing my rules as well as making sure my idea/plan will work.

I have the following networks connected to my pfSense installation:

LAN
IPMI
Physical Servers (Hypervisor Servers & Storage Servers)
Virtual Servers
Security
Printers & Scanners
User Network
Guest

My understanding is that unless there is a rule allowing an out of subnet connection they are by default blocked on the outbound side. This should also be true for the inbound side no?

I want to set it up that specific devices identified by IP are allowed on any network, so I would need 2 rules one for the outbound from the network they are on and one for each network on the inbound side right? Or can I use a single floating rule for this?

LAN is for all my switches and wireless APs and will only really talk to itself and pfSense as well as have access to the internet.

IPMI is for all the iDRAC and iLO2 connections I have to some of my servers and only talks to itself, pfSense and does not have internet.

Physical Servers talks to itself, the internet and pfSense

Virtual Servers talks to itself, the internet, pfSense and specific storage servers on the Physical Servers LAN.

Security talks to itself, the internet and pfSense

Printers & Scanners talks to itself, the internet, pfSense, the mail server, a specific storage server and the CUPs server

User Network talks to itself, the internet and pfSense, specific virtual servers and storage

Guest get internet only

Only the LAN network and the reverse proxy server can get to the pfSense GUI.

The reason for this change was that I learned a valuable lesson with respect to VLANs once I learned how to use them I went a little happy on creating them and ended up separating my hypervisors from my storage on separate VLANs whiich while it worked slowed everything down and also created a potential for issues if pfSense was down.

xMAXIMUSx · September 5, 2020, 10:45pm

Ok so I think there needs to be some more information to answer this.

Are those “networks” you listed actually VLAN’s?

The rules are pretty simple to set for each interface and your inquiry about default inbound and outbound is if you created a new VLAN or a new interface the default is nothing is able to route in or out.

The way you tackle this is to physically write this out on a per interface what you want outbound and rules work from the top down so if you have a block rule on top of an allow rule then traffic cannot go past that rule.

Example:
LAN
Block - LAN NET on ANY port to Guest NET to ANY port
Block - Whatever NET on ANY port to Virtual NET to ANY port
Allow - ANY on ANY port to ANY on ANY port <-- Allow the rest of the traffic

Astraea · September 5, 2020, 10:52pm

Each of these networks is a VLAN and is distributed over various managed switches that come back to pfSense which has multiple physical interfaces for each switch with the VLANs stacked on top from there. My pfSense is virtualized so my switches connect to the hypervisor and those are connected to a virtual switch where pfSense sees that LAN connection. My server does not support passthrough or I would have done it that way to simplify it.

neogrid · September 6, 2020, 11:01am

The way I would approach your situation is to create an alias for the vlans, then create rules based on those vlans rather than per IP that just sounds like hell.

So for instance you might want your Guest network to also access the Printers, it would then be a good idea to isolate it so traffic cannot get out but both guests and users can print.