Jump to content

PFSENSE Rules

Sherwin Velasco

Hi Linus,

 

First of all, I'm a big fan of yours.

 

Im newbie on setting up my pfsense firewall, my problem is after setting up rules on my lan i cannot access the internet.

i want to setup on specific allowed port like port 53/80/443. 

please help me :(

 

by the way im from Philippines :)

 

please see attached file.

i disabled the access to any to setup an specific port.

 

thanks Linus!

 

linus mail.jpg

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, Sherwin Velasco said:

Hi Linus,

 

First of all, I'm a big fan of yours.

 

Im newbie on setting up my pfsense firewall, my problem is after setting up rules on my lan i cannot access the internet.

i want to setup on specific allowed port like port 53/80/443. 

please help me :(

 

by the way im from Philippines :)

 

please see attached file.

i disabled the access to any to setup an specific port.

 

thanks Linus!

 

linus mail.jpg

They are outbound rules, not inbound rules.  The source port won't be 53/80/443.    That needs to be the destination port.


Change the Rules so they look like this;

 

Protocol - IPv4 UDP

Source - Wifi net
Source Port - *
Destination Port - 53 (UDP)

Gateway - *

 

Protocol - IPv4 TCP

Source - Wifi net
Source Port - *
Destination Port - 80 (TCP)

Gateway - *

 

Protocol - IPv4 TCP

Source - Wifi net
Source Port - *
Destination Port - 443 (TCP)

Gateway - *

Please quote or tag me if you need a reply

Link to comment
Share on other sites

Link to post
Share on other sites

If you have DHCP enabled you'll need to allow DHCP requests... DHCP requests will come from 169.*.*.* over broadcast so you can specify a network range in the rule.

 

Source IP: Any Port: Any Destination: WiFiAddress Port: 67-68 UDP

Link to comment
Share on other sites

Link to post
Share on other sites

Is there any good reason to limit the ports like this?  People will still be able to bypass it using a VPN on port 443.

Router:  Intel N100 (pfSense) WiFi6: Zyxel NWA210AX (1.7Gbit peak at 160Mhz)
WiFi5: Ubiquiti NanoHD OpenWRT (~500Mbit at 80Mhz) Switches: Netgear MS510TXUP, MS510TXPP, GS110EMX
ISPs: Zen Full Fibre 900 (~930Mbit down, 115Mbit up) + Three 5G (~800Mbit down, 115Mbit up)
Upgrading Laptop/Desktop CNVIo WiFi 5 cards to PCIe WiFi6e/7

Link to comment
Share on other sites

Link to post
Share on other sites

17 hours ago, Alex Atkin UK said:

Is there any good reason to limit the ports like this?  People will still be able to bypass it using a VPN on port 443.

If you're not running suricata / snort to make sure it is actual web traffic traversing 443. Also if you control the environment then a user should not be able to install any VPN solutions.

 

It's an easy enough step that adds a layer of challenge, so why not.

Link to comment
Share on other sites

Link to post
Share on other sites

Its almost impossible to "control" the environment though, especially when dealing with WiFi.

 

I was hoping my question might elicit an explanation for WHAT the environment is.  Because as I understand it, WiFi on pfSense is not exactly ideal in most scenarios as its not as fully featured as dedicated access points.

Router:  Intel N100 (pfSense) WiFi6: Zyxel NWA210AX (1.7Gbit peak at 160Mhz)
WiFi5: Ubiquiti NanoHD OpenWRT (~500Mbit at 80Mhz) Switches: Netgear MS510TXUP, MS510TXPP, GS110EMX
ISPs: Zen Full Fibre 900 (~930Mbit down, 115Mbit up) + Three 5G (~800Mbit down, 115Mbit up)
Upgrading Laptop/Desktop CNVIo WiFi 5 cards to PCIe WiFi6e/7

Link to comment
Share on other sites

Link to post
Share on other sites

20 minutes ago, Alex Atkin UK said:

Its almost impossible to "control" the environment though, especially when dealing with WiFi.

 

I was hoping my question might elicit an explanation for WHAT the environment is.  Because as I understand it, WiFi on pfSense is not exactly ideal in most scenarios as its not as fully featured as dedicated access points.

It doesn't matter where the network packets arrive from WiFi or Ethernet, if you are using intrusion detection/prevention (IDS/IPS) via Snort or Suricata you can review with deep packet inspection and block any VPN traffic being generated it will simply get dropped by the firewall and cleared off the state table.  If you can't get past the edge (firewall) then you have no chance for a VPN.  Most VPN's use encrypted packets via UDP, easy to spot and easy to drop at the firewall.

Remember that you have control of the edge device between the WAN and LAN, you have full control over what the users on the LAN can and can't access.  Having the knowledge to implement it correctly however will need some experience.

Please quote or tag me if you need a reply

Link to comment
Share on other sites

Link to post
Share on other sites

Yes I understand that, but the OP made no mention of such a setup.

Router:  Intel N100 (pfSense) WiFi6: Zyxel NWA210AX (1.7Gbit peak at 160Mhz)
WiFi5: Ubiquiti NanoHD OpenWRT (~500Mbit at 80Mhz) Switches: Netgear MS510TXUP, MS510TXPP, GS110EMX
ISPs: Zen Full Fibre 900 (~930Mbit down, 115Mbit up) + Three 5G (~800Mbit down, 115Mbit up)
Upgrading Laptop/Desktop CNVIo WiFi 5 cards to PCIe WiFi6e/7

Link to comment
Share on other sites

Link to post
Share on other sites

11 hours ago, Alex Atkin UK said:

Yes I understand that, but the OP made no mention of such a setup.

It was you who created the question advising that people could bypass using a VPN via TCP 443, @MikeSan advised you can use IDS/IPS to prevent this which pfSense has either Snort or Suricata.   I simply went in to more detail to give you more information to chew on as you said its impossible to control traffic, however when you are the gateway for all that traffic to reach the outside world you have control of what goes in/out depending on the feature set of the router/firewall you are using.

Please quote or tag me if you need a reply

Link to comment
Share on other sites

Link to post
Share on other sites

15 hours ago, Alex Atkin UK said:

Its almost impossible to "control" the environment though, especially when dealing with WiFi.

 

I was hoping my question might elicit an explanation for WHAT the environment is.  Because as I understand it, WiFi on pfSense is not exactly ideal in most scenarios as its not as fully featured as dedicated access points.

Wireless or wired makes no difference, I'm not sure what you mean by "especially dealing with wifi". People can bring a laptop and connect to a LAN drop just as easily. If you control the environment, then you control the devices that attach to your network. On a business/corporate network you would not normally allow personal devices. There are many ways to handle "rogue" devices. Just because there's a way to defeat a security mechanism doesn't mean you should be lax, and not implement it.

 

One more reason you might use these firewall rules, strictly allowing 443/80 and nothing else - is to protect your other LAN segments. No need for say your WiFi network, to access your exchange server. This may be what you're looking for but I assumed it to be implied.

Link to comment
Share on other sites

Link to post
Share on other sites

Yes but to connect LAN you need to be physically at a LAN port, with WiFi you could be outside the building.

The whole point of my post was to get more feedback from the OP about WHY they were doing this to see if it was really necessary or doing what they wanted, not to suggest that things CAN'T be blocked with the right tools.  Maybe I should have been more clear.

Router:  Intel N100 (pfSense) WiFi6: Zyxel NWA210AX (1.7Gbit peak at 160Mhz)
WiFi5: Ubiquiti NanoHD OpenWRT (~500Mbit at 80Mhz) Switches: Netgear MS510TXUP, MS510TXPP, GS110EMX
ISPs: Zen Full Fibre 900 (~930Mbit down, 115Mbit up) + Three 5G (~800Mbit down, 115Mbit up)
Upgrading Laptop/Desktop CNVIo WiFi 5 cards to PCIe WiFi6e/7

Link to comment
Share on other sites

Link to post
Share on other sites

27 minutes ago, Alex Atkin UK said:

Yes but to connect LAN you need to be physically at a LAN port, with WiFi you could be outside the building.

The whole point of my post was to get more feedback from the OP about WHY they were doing this to see if it was really necessary or doing what they wanted, not to suggest that things CAN'T be blocked with the right tools.  Maybe I should have been more clear.

Anyone in enterprise will have full control over their WiFi even if that WiFi is public and requires no login/capture portal.  It will be segmented from the main network, have massive restrictions on traffic inbound/outbound of the gateway and the AP's will have Wireless Isolation to prevent WiFi clients talking to each other inside the same WiFi network.  It's up to the network administrator to take full control of the feature set on the WiFi equipment, anyone who leaves an open WiFi connection on the same network segment as their LAN is just asking for trouble.   Enterprise/Business grade equipment has features to control almost everything, it all costs more money though :(

Please quote or tag me if you need a reply

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, Alex Atkin UK said:

Yes but to connect LAN you need to be physically at a LAN port, with WiFi you could be outside the building.

The whole point of my post was to get more feedback from the OP about WHY they were doing this to see if it was really necessary or doing what they wanted, not to suggest that things CAN'T be blocked with the right tools.  Maybe I should have been more clear.

I see, yes your phrasing lead to me to think you meant "why would anyone" vs just the OP. Then my response would simply be to protect the other LAN segments.

 

 

Just to touch on wifi - yes you should trust wifi less, but you would still secure it with more than a simple WPA2 password, like EAP/LEAP.

Physical security is a joke 9 times out of 10 - so a LAN drop is not "secure." Honestly drops are probably a lot worse than wifi, since people tend to think they're safer than WiFi. Leaving them open and on the "main" VLAN without any NAC or port security. I've seen people badge in, let the next person in without checking ID, and right beside a posted sign "no piggy back entry."

Link to comment
Share on other sites

Link to post
Share on other sites

23 minutes ago, Mikensan said:

I see, yes your phrasing lead to me to think you meant "why would anyone" vs just the OP. Then my response would simply be to protect the other LAN segments.

 

 

Just to touch on wifi - yes you should trust wifi less, but you would still secure it with more than a simple WPA2 password, like EAP/LEAP.

Physical security is a joke 9 times out of 10 - so a LAN drop is not "secure." Honestly drops are probably a lot worse than wifi, since people tend to think they're safer than WiFi. Leaving them open and on the "main" VLAN without any NAC or port security. I've seen people badge in, let the next person in without checking ID, and right beside a posted sign "no piggy back entry."

Yes I can imagine.  Assuming all your clients are safe is a big mistake, at least in a corporate environment.

Router:  Intel N100 (pfSense) WiFi6: Zyxel NWA210AX (1.7Gbit peak at 160Mhz)
WiFi5: Ubiquiti NanoHD OpenWRT (~500Mbit at 80Mhz) Switches: Netgear MS510TXUP, MS510TXPP, GS110EMX
ISPs: Zen Full Fibre 900 (~930Mbit down, 115Mbit up) + Three 5G (~800Mbit down, 115Mbit up)
Upgrading Laptop/Desktop CNVIo WiFi 5 cards to PCIe WiFi6e/7

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×