The pfsense, the firewall and the wireguard

Networking & Firewalls
1

Hello, I am having a “misunderstanding” with pfSense and the firewall rules. Could yo help me?

What I want to achieve is to allow only dns and services on traefik for all wireguard client and get the complete access to my laptop’s address.
The first part is ok, everything works, but I am having problem with the allow-but part.

image
image2382×896 184 KB

I’ve created this rule “block all but me” but, for unknown reasons (at least to me) it doesn’t work.
Instead, if I create two separate rules: a pass rule for me followed by a block rule, it works… Where am I going wrong ?

image
image2382×896 218 KB

2

It doesn’t work because you are allowing anything at the top of your rules. Move your block rule above your allow any source rules and it should work.

Remember that pfsense processes rules from the top down.

3

Sorry maybe I misunderstood but if I move the block rule at top all traffic is blocked

You mean something like so?

image
image2382×896 217 KB

with my prev settings (screenshot 1):
I enable any to port 443, any to port 53 and block all but my ip (homelab_ext), but this part doesn’t work.
Instead, if I disable it and I add the same rule but splitted in half (the 2 rules disabled), a pass for me and block for the others it works

4

If you are trying to block everything that is not your homelab_ext then it is working. If not then you need to tweak the source IP ranges you want to block. You can’t have an allow rule that allows any source and then have your block rules at the bottom.

Set your blocks above your allows.

5

Sorry, I want to do, is to allow all wireguard clients (any) to access internal dns and the services on traeifk. and this is ok

The problem is on rule 3 (pointed by the red arrow). It must block all other “traffic” unless it is me.
But it is not work.
It completely ignore the alias set and the ! and block all traffic not for the 2 rules above (dns & traefik).

Instead, if I delete rule 3 and add rules 4-5 (pointed by the yellow arrow on the diag below), everything it works as expected, I can access to everything and other clients are blocked exactly what I want.

image
image2624×1540 444 KB

6

it is quite easy. there is an implicit “block all” rule at the bottom but you dont see it. so rule 5 is not needed at all.

if you use rule 3 you prevent everyone but your laptop from access.
next is the implicit block all.
That way your laptop never gets allowed to access all. You would need to have rule 4 for that.
Have you tried rules 1,2,3,4? That should work.

working here with negative logic just makes things unnecessarily complex.

just use rules 1,2, and 4 and it works as intended.