pfSense - Basic LAN Firewall Rules

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello youtube today I'm going to show you how to deal with the firewall rules on your pfSense firewall first off let's cover some basics depending on the source we have two types of traffic egress or outgoing traffic and ingress or incoming traffic the default rule for pfSense is denied so if your interface doesn't have any rules all the traffic will be dropped if the traffic cannot match any rules on your firewall it will be dropped also rules have different priorities firewall rules at the top of your interface would have the top priority so the traffic will be going from top to bottom through your firewall rules list until the appropriate match is found also there are three interface rule priorities first of all firewall is processing what's called system rules these rules are generated by the pfSense itself then the second set of rules will be floating rules these rules are processed right after system rules and then the third set of rules are called interface rules they are processed the last in a chain but they are the easiest to configure as I said before we have egress rules and ingress rules egress stands for outgoing traffic here we have our interface this would be the egress traffic which is outgoing from inside out and then the ingress traffic will be coming from outside in I prefer to manage my land interfaces with egress rules and my when or Open VPN interfaces with ingress rules before I can move on to the practical example I just wanted to show you what kind of scenario I wanted to cover here we have our pfsense firewall the right is our guest Network and then on the left is our land network we have one client per network on each site our land client is allowed to go to the firewall and manage it it's also allowed to go to the Internet and any other network within our firewall our guests on the other hand cannot go to any one of the internal networks it has limited access to the firewall itself and it is only allowed to go to the Internet okay so here we have our two Debian Linux machines with LAN client on the left side and guest client on the right side if we ping guest client from land you can see it's pinging and then if we ping our land client from guest it's also pinging because before showing you that it works I wanted to show you how it works if I open my pfSense demo machine here you see that from land we have wide open network access and then from gas we also have wide open network access so both of the clients at the moment have full network access no restrictions whatsoever now to filter it down for the gas network to only allow it to go to Internet we need to edit the rule leave everything as is for here and then click display advanced find the section that's responsible for Gateway and choose any one of your gateways or group of the gateways then click save and apply changes now if we go back to our Debian machines our land client is still able to ping the ghast but our guest client cannot ping the LAN client and both of the machines are perfectly able to ping the Internet this trick is very useful for any said man or home pfSense user out there with it you can easily filter your traffic to whatever your requirements are if this is what you wanted to know then you can stop watching this video and go experiment with your pfSense firewall but I wanted to show you some additional things you can do with this for example we could add another rule and allow access to our land network click save click apply changes and now we can perfectly find ping our land client if we get back to the firewall and click on the guest again we see that we created some states also with this kind of segregation you have a perfect view into your network and see what's going where another thing is that if you used this rule then you've basically allowed any one of your guests clients to access firewall management page and it's not always desirable as an example I can show you that I can perfectly fine open web management interface of the firewall from the gas network with help of curl so firewall responded to me I've loaded the page no problem now let's go to our firewall and add another rule to block this behavior action is reject or block protocol TCP source gasnet destination this firewall destination port range is HTTPS now let's save and apply changes if we go back to our guest client and try to curl that web page again we see that connection is refused now this will only block the web traffic and if you have the SSH open you'll have to do same for SSH but if you're a bit paranoid like I am you can deny firewall access from this network altogether the only thing you need to make sure is that your clients can get to the DNS server edit this rule change protocol to any to block any access to this firewall then copy the rule change action to pass protocol UDP destination port range is DNS then click Save don't forget to put the dns rule up top so it doesn't get blocked click Save here at the bottom first and then apply changes then we also want to remove that experimental land network access rule click apply changes and now this is how your guests or IOT network should look like because if we go back to our guest get the web interface we cannot even pin the firewall but we can perfectly find gap to the Internet and our DNS works just fine as well that's it for today please like share and subscribe leave your comments down below with suggestions for the future videos I mean I've got a lot of ideas but I would like to hear from you guys what you like to see next thank you all for watching and I'll see you in the next one

Info

Channel: Gateway IT Tutorials

Views: 46,014

Rating: undefined out of 5

Keywords: pfSense, firewall, iot, network separation, LAN

Id: AZ_ju6pCbow

Channel Id: undefined

Length: 8min 35sec (515 seconds)

Published: Mon Oct 07 2019