i have been playing around with PFSense for the past week now ever since I switched over from my ISP router, its now in bridge mode.
i have been setting up firewall rules. the first thing i wanted to do, again this is me just playing around, i wanted to block the PFSense Web Gui on all devices but the pc in the server room. the rule works great had to tick the box in advanced settings disable anti lock out rule for it work.
so then i thought why not block all other devices but the pc in server to access the unifi controller. so i went ahead and setup a rule “Pass” to the pc in server room and port. then created a rule to block all other devices to that ip and port. but it does not work.
My Friend told me its not going to work as the routing is bypassing the firewall. so my question is how do i get pfsense to use that rule for a machine to block another device raspberry pi hosting unifi controller so that machine cant land at the gui.
both devices are on the LAN, the rule is on the router under LAN, should i put the rule in WAN and see if that works ? is there a way for a rule or settting somewhere for rules to headout but noticed its internal and loop back hence passing through the firewall ?
any advice would be great
I have a rule on my Guest vlan blocking access to the firewall, you can select “this firewall” as a destination in a rule.
I would guess you could create a rule for accessing the firewall for a given IP, followed by another rule blocking access to the firewall.
Firewalls can not block device on the same subnet because they don’t pass through the firewall. This is why it can be a good idea to have a separate “Management SUBNET/LAN” that devices need to pass though the firewall rules to get to.
I think “this firewall” wont work but i will give it ago
erm… how does one setup Mgt subnet or LAN and get them to pass through the firewall ?
I love your Videos, could you make a short video on how to do this ? i have watched all your pfsense videos. some twice lol.
please dont hurt me for asking to make a video i have a son…
It’s just setting up separate subnets and put the devices on those networks. I cover this in general in this video
thanks for the quick reply, it shows i have watched this video but at that time i guess i did not need to know or make use of subnets lol now i do
I will be soon making a 2022 version of this video, a few things have changed since I made this.
Ah nice cant wait
question - what is Invert match you selected it when creating a rule for IOT CRAP
Without diving back in to the video, it’s probably how I allowed something to go out to the internet but not access other local resources.
thank you for posting that video watched it a few times now to sink in.
things have i done
- created vlans assigned IVP4Static and setup DHCP and ranges
- setup a workstation (not VM) on my workbench here in server room
- added the vlans in unifi controller, i can now see the profiles for the ports on the 16Port PoE switch
- set port 11 to profile ServerRoom vlan tag 100
5 fresh install of windows 10 plugged into port 11
- no network/internet
going to go out on a lim here and say i need create a firewall rule to alow that VLAN (tag-100) ServerRoom to the LAN interface ?
am also going to setup an aliases to group the VLANS and call it VLAN group or private networks like you did and use that when setting up the rule.
am going to give it ago now to see if i create the rule correctly.
wish me luck
If you’re now using vlans, just create a management vlan stick your switches, AP on it. Block the other vlans from the firewall.
Move what you have on your LAN to a vlan.
That will give you what you are looking for. I don’t use my LAN unless I need to directly access the router for some reason say my switch stops working.
No, once you set a port to be a network then you don’t need to set things on that device.
Keep in mind that the firewall blocks everything by default (except DHCP… if you enable the DHCP service on an interface it put’s in rules for that automatically which you cant easily find in the GUI). This means that if you want DNS to work you will need a rule. If you want to be able to ping stuff outside of the scope of that interface then you need a rule, etcetera. But do not forget that these rules are applied as packets transverse through pfSense (ingress and egress the scope of that interface) so you will still need a host based firewall to segment direct communications, or used host based isolation in Unifi to force everything through the firewall without exception. It’s important to properly segment the network but it doesn’t replace the other layers of security.