Pfsense LAN separation

justinschw · April 20, 2024, 11:14am

Hello all,

I have been googling my issue, and it seems like from what I have been reading, I shouldn’t be having it. So I’m at a loss.

Basically I have a pfsense setup for my home lab, I have three interfaces:

WAN
LAN
CONTROL

The LAN is self-explanatory, my devices are on there and can route to the outside world. My CONTROL is where all my configurators go, including the web configurator for pfsense. Here are my basic configurations for LAN and CONTROL:

LAN:
Static IPv4 = 10.12.1.1/24
everything else is default

CONTROL:
Static IPv4 = 10.11.1.254/24
everything else is default

LAN has a DHCP server on it but that’s probably not relevant.

Anyways, from what I understand by default nothing should be able to talk to each other. And I would think that since these two networks are on separate subnets, they shouldn’t be able to route. Unfortunately I discovered recently to my great horror I can reach web configurators on the control plane just fine from the lab net. Yikes.

First I am trying to figure out how this is even possible due to the subnet separation. Second I wonder what would be the best way of preventing this, change routing rules or add a firewall rule? I tried to create a firewall rule for the control interface to block traffic from the LAN address:

I can provide the firewall rules for the LAN and WAN if necessary. For some reason I can’t attach more than one image to the post.

I don’t know if it is relevant, but this is a virtualized firewall; in pfsense the networks are defined by VLANS. Just to eliminate possibilities, I turned off the pfsense VM and tried accessing devices on CONTROL and wasn’t able to from the LAN. So it is definitely pfsense that is routing traffic between the networks.

paolo · April 20, 2024, 7:53pm

There seems to be a fundamental misconception about how pfSense rules work. I say this because you chose to show the rules for the CONTROL network instead of the LAN network.

Standard pfSense firewall rules only apply to incoming traffic on a particular interface. So if you are having trouble with traffic that originates in the LAN network, you need to focus on the LAN firewall rules. Nothing you change about your CONTROL firewall rules will have any impact on your problem.

Please provide a list of your LAN firewall rules. Without knowing them, my guess is there is a rule there with a * destination. Rules are processed in order from top to bottom. If a packet matches a rule, that rule’s action (pass, block, reject) is applied to the packet. If there is no matching rule, the packet is blocked.

justinschw · April 21, 2024, 1:15pm

Standard pfSense firewall rules only apply to incoming traffic on a particular interface.

I think you mean outgoing traffic? Otherwise my rules would have made sense.
Anyways thanks for your reply. I added a rule to my LAN network to block traffic to my CONTROL network, and it seems like I’m getting warmer, since now if I unplug the CONTROL cable from my PC I can no longer access the web configurator for pfsense. However, I can still access other VMs on the control network.

It looks like you are right that there is an allow any rule (2 actually, one for ipv4 and one for ipv6) so maybe I need to lock that down so it only allows any through the WAN and not anywhere else. When editing the rule, I couldn’t see anything to specify an interface for the outgoing traffic.

I’m going to look at the application logs for VMs in the control plane to see what the origin IP is when I connect to them. If it’s coming from my 10.12.x.x address then that rule should have been matched.

justinschw · April 21, 2024, 1:18pm

ok, after unplugging my CONTROL line, I tried SSH to one of my control devices, disconnect and reconnect, and I see this:

Last login: Sun Apr 21 08:13:30 2024 from 10.12.1.36

10.12.1.36 is my LAB address. So this should be getting blocked according to that rule.

paolo · April 21, 2024, 1:46pm

No, I mean incoming. Have a look at this docs page: Firewall — Firewalling Fundamentals | pfSense Documentation

And that is exactly the behavior that is expected with the rules you now have on your LAB interface.

Say you have (IPv4) traffic originating in the LAB network destined for a host in the CONTROL network. That traffic enters the firewall on its LAB interface, therefore it is matched against the rules on the LAB tab. The first (and in this case, only) rule that matches is the “Default allow LAN to any rule”, which allows the traffic. Therefore, you can reach the host in the CONTROL network from a machine in the LAB network.

That’s not how pfSense works. You don’t filter by outgoing interface. You have to be very careful when using the “any” destination in your rules because, by definition, it includes local networks. And that is not what people want in most cases.

Have a look at this:

justinschw · April 21, 2024, 7:29pm

Thanks again for your reply, I believe I understand you now.

For now, I have fixed the block rule by changing “CONTROL address” to “CONTROL subnet”

But I’m going to look further into the allow rule at the end to make it more restrictive.

justinschw · April 23, 2024, 12:43am

For future people reading this thread. The best answer was in the thread that the very helpful Paolo linked in his response.

Create an alias (in the post, it was RFC1918) and add internal networks to that rule.

192.168.0.0/16
172.16.0.0/12
10.0.0.0/8

For the default “ANY” rule created on the LAN in pfsense, instead of ANY select Address or Alias and then choose the alias you created, and then check Invert match
You can do this for IPv4 and IPv6 since pfsense creates those two rules by default

Now I can have a LAN network that can’t access any of the sensitive interfaces on the control plane, but can reach out to the Internet.