Menu
What's new
By:
Filters Better Search

pfSense (or other dedicated router) questions

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

As a ROUTER, it should be a level 3 device. Afterall, routing is a level 3 concept. As a firewall, it needs to work in both L2 and L3. Effective security ALWAYS works at a lower level - or it's easily defeated.

It's advertised as a router and firewall.
 
garyd9 said:
As a ROUTER, it should be a level 3 device. Afterall, routing is a level 3 concept. As a firewall, it needs to work in both L2 and L3. Effective security ALWAYS works at a lower level - or it's easily defeated.

It's advertised as a router and firewall.
Click to expand...

Level up and understand - firewalls are layer 3 (IP based)
 
You're fighting the boss level - the barrier (force field) of understanding...

A bit of advice - perhaps ask questions, rather that make assertions based on your understanding of the rules... because is looks like there are rules you just do not understand at the moment..

Trying to help here... let me help...
 
sfx2000 said:
Level up and understand - firewalls are layer 3 (IP based)
Click to expand...
I disagree. Firewalls act at whatever OSI level is required to perform a function: from VLANs (L2) all the way to application level (L7.) As well, even routers have to work lower than L3 to be effective. STP, VLANs, and bridging are all L2.
 
garyd9 said:
I disagree. Firewalls act at whatever OSI level is required to perform a function: from VLANs (L2) all the way to application level (L7.) As well, even routers have to work lower than L3 to be effective. STP, VLANs, and bridging are all L2.
Click to expand...

if you go down this path - then all is lost...
 
sfx2000 said:
Trying to help here... let me help...
Click to expand...
Okay... Asking questions NEVER hurts (and I often learn something):

I have a device.. I want my pfsense router and firewall to block that device from accessing the WAN. That device is... an Android device that can authenticate either wired or wireless. (However, that's moving into L1)

How can I use pfsense to do that?

I should add that my network fully implements IPv6 (dual stack with global IPs) and IPv4 via NAT.
 
Keep in mind that you have an IEEE/IETF/3GPP/3PP2 member that is willing to help out...

Layer 2 - MAC, not an issue, as this is stopped

Layer 3 - this is where your concern is at the moment, and this is where firewalls operate between the WAN and the LAN

VLAN's - this is internal inside your LAN - it's a layer on the cake of traffic inside your LAN, and sometimes, inside your provider's LAN (some provider's do IPTV on their IP range on a VLAN, with broadband access on another, but once out on the internet, it's all the same)

Layer 7 - this isn't a firewall - this is UTM/end-point security at the application layer.

If you don't want my help - just say so - and I'll let you thrash about in the water, rather than lend a hand to pull you into the boat...
 
garyd9 said:
I have a device.. I want my pfsense router and firewall to block that device from accessing the WAN. That device is... an Android device that can authenticate either wired or wireless. (However, that's moving into L1)
Click to expand...

That's an interesting question - and I'll tell you - you can't... not from a pfSense or any other router perspective...

Reason is that from the router's perspective, it's just a pipe - same from a switching perspective...

From an android app - you need to put some policy control on the app itself from the OS layer in the device - the networking stack is going to move packets if the OS allows it, and the routers/switches are going to let that thru - and you can try to put some policy on the LAN side, but you might not be able to control the WAN side of that Android device, assuming it's a smartphone, without having some policy management on it.
 
sfx2000 said:
That's an interesting question - and I'll tell you - you can't... not from a pfSense or any other router perspective...

Reason is that from the router's perspective, it's just a pipe - same from a switching perspective...

From an android app - you need to put some policy control on the app itself from the OS layer in the device - the networking stack is going to move packets if the OS allows it, and the routers/switches are going to let that thru - and you can try to put some policy on the LAN side, but you might not be able to control the WAN side of that Android device, assuming it's a smartphone, without having some policy management on it.
Click to expand...
It's a wifi only device (no GPRS/LTE/CDMA/etc) and can only connect to my private network. With L2, this is doable via MAC address controls.

With pfSense, as far as I've been able to determine, I can't do it properly. I can assign an IPv4 address reservation (and FORCE it's use via static ARP), but IPv6 on android ignores DHCPv6, so I can't create a firewall to block on IPv6. I can just disable all of IPv6, but that isn't a solution, and doesn't solve the problem.

So, I'm asking: How can I do this with pfSense? I can easily do it with a USB stick booting any linux distro and a single command line. I could probably do it easily with the BSD "ipfw" tool I've read about (but that's working outside of pfSense.)

Isn't this a reasonable use of a firewall?
 
Erm - what you're looking for is policy management/policy control - and pfSense does have the snort add-in (along with Squid and a few other add-ins)

From a firewall perspective - it's just pipes, and it will do what it is designed to do - whether it's ipv6 or ipv4...

All - Application
People - Presentation
Seem - Session
To - Transport
Need - Network
Data - Data
Processing - Physical Layer

IPv4/v6 lives at the "to" layer...e.g. the transport - you're trying to solve what is actually at application layer problem - which mean policy management/control there...

Common ask, esp with folks that are used to all-in-one router/AP's....
 
Are you suggesting that I'm asking the wrong question? What do you suggest the question should be?

I'm not trying to block applications (L7.) I'm trying to completely cut off a device from the WAN. That, technically, is a L3 (routing) issue. (I'm trying to prevent routing) that is solvable at one level lower (L2.) This is a common problem is software engineering: If the level you're working at isn't up to the task, go down one level lower and fix it. C not up to it? no problem - a bit of inline assembly will fix it.
 
Find the real problem - ask five why questions - and keep the focus there - and then you might find the root cause regarding the issues with that tablet...

If you can't define the problem, you won't find the real root cause, and no matter what hardware/software you throw it is, it will not be solved...

pfSense, MicroTik, etc - they are tools in the toolkit, but you need to recognize the problem first, before putting in a fix that might not meet your needs - and that fix might be time/effort/money, and not fix the real problem at hand.
 
sfx2000 said:
Find the real problem - ask five why questions - and keep the focus there - and then you might find the root cause regarding the issues with that tablet...
Click to expand...
Usually, when someone approaches a problem with these types of responses, the underlying intent is to detract from the actual issue because of a shortcoming, and try to redirect it to something else.

For example, I could say that the "real problem" is that my 11 year old son plays on his tablet all night long if I don't block it, and you'd respond with "the real problem is that you don't beat your son often enough."

I'm not convinced that this is what you're trying to do, but it does appear that way.

The PROBLEM: Traffic is passing from the LAN to the WAN from devices when I'd prefer that it didn't.

Yes, I can remove the device completely. That doesn't solve the problem. (If you have a headache, you don't chop off your head.) I can disable all networking from the device. That doesn't solve the problem. I could put the single device on a different vlan that doesn't have access to the gateway. That becomes a nightmare when I want to switch from blocking WAN access to NOT blocking WAN access. It also creates problems when I want the device to be on the same network address as other devices. (Not all broadcasting protocols work with IGMP or are even server based.) I could force assign an IPv4 and completely disable IPv6 from working on the network...and block that IPv4... (but that's going backwards, not forward.)

So, it's not as simple as the problem. The "problem" isn't as simple as it sounds as shown by the rejection of so many simplified "solutions."

Technically, it's a L3 problem: I want to block the routing of ALL networking protocols. It doesn't matter WHY I want to do it.

This is the type of stuff I'm reading on the pfsense forums: Instead of answering difficult questions, people try to redefine the question (or attack the person asking the question.)

You said "perhaps ask questions, rather that make assertions based on your understanding of the rules"

So, my question, again, is: How can I block the routing of all traffic over the gateway for any protocol including (but not limited to) IPv4, IPv6, IPX, ICMP, Appletalk, and even ARP?

1: break the L1 (physical) connection.
2: block/break the L2 (data link) connection.
3: ??? How can you block/break a connection at the same layer that your trying to block to begin with? Blocking/breaking the layer would cause the blocking/breaking mechanism to itself block/break.
 
You could use DHCP to create a static mapping of the MAC address to an IP of your choice, then setup the appropriate firewall rules to block WAN access for that IP.


or employ a managed switch.
 
garyd9 said:
The PROBLEM: Traffic is passing from the LAN to the WAN from devices when I'd prefer that it didn't.
Click to expand...

Sounds like this is not the problem - perhaps a specific application - that might be the problem.

Not trying to misdirect - trying to focus the question... then we can find an answer...
 
Nullity said:
You could use DHCP to create a static mapping of the MAC address to an IP of your choice, then setup the appropriate firewall rules to block WAN access for that IP.
Click to expand...

He's tried that - and it's not working... hence the frustration...
 
garyd9 said:
Yes, I can remove the device completely. That doesn't solve the problem. (If you have a headache, you don't chop off your head.) I can disable all networking from the device. That doesn't solve the problem. I could put the single device on a different vlan that doesn't have access to the gateway. That becomes a nightmare when I want to switch from blocking WAN access to NOT blocking WAN access. It also creates problems when I want the device to be on the same network address as other devices. (Not all broadcasting protocols work with IGMP or are even server based.) I could force assign an IPv4 and completely disable IPv6 from working on the network...and block that IPv4... (but that's going backwards, not forward.)
Click to expand...

Step back for a day, seriously... been there, done that - it's a trap...

I'm suggesting you're overthinking things, and perhaps I'm not helping - so the best advice I can give at the moment, give it a bit of a break - and then really consider the problem at hand, but give it a couple of days first..
 
Nullity said:
You could use DHCP to create a static mapping of the MAC address to an IP of your choice, then setup the appropriate firewall rules to block WAN access for that IP.
Click to expand...
That works for IPv4. It doesn't work for IPv6. With IPv6, many OS's ignore DHCPv6, and others accept the configuration and IP, but use a different IP for outgoing traffic (for "security" reasons.)
Nullity said:
or employ a managed switch.
Click to expand...
How can I use my managed switch to accomplish this?
 
sfx2000 said:
He's tried that - and it's not working... hence the frustration...
Click to expand...

I think pfSense has timers. You could do blacklist firewalling during the day then switch to whitelisting firewalling at night, so that only explicitly allowed services work from midnight to sunrise.
 
You must log in or register to reply here.

Similar threads

ali.
Access Point mode issue, airplay not working.
Replies
2
Views
278
ali.
ali.
R
Asus RT-AX88U Pro or BE92U (or other)?
Replies
10
Views
739
Piotrek
P
D
Did I Have Unreasonable Expectations? (RT-AX88U Pro)?
Replies
7
Views
984
Tech9
Tech9
Phantomski
Questions about VLAN support in 3006
Replies
5
Views
572
Tech9
Tech9
D
Would like input Asus or other brand router
Replies
11
Views
1K
dokey1907
D
Similar threads
Thread starter Title Forum Replies Date
C Pfsense wins awards Routers 34
M 10GB wired router options Routers 14
O Intermittent lost connection- modem or router? Routers 1
sucka Router low performance wifi on AP Mode Routers 14
B Least expensive wired-only gigabit router? (TP-Link Festa FR205? Others?) Routers 29
StanleeSPUDwowski Test for reliability of router - Bench test - throughput - ping load etc Routers 14
the4anoni Recommend me router for handling SQM on 1 Gbps Fiber Routers 7
I Router access Routers 5
C Random cutting out of all internet, ISP says its probably my router (Asus rt-ax82u) (have system logs) Routers 2
A Looking for a 10Gbps wired router Routers 39

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 896 (members: 32, guests: 864)
Top