Router firewall configuration

[rawk stoan]

The router (running opnsense) I have been working on has four ports, WAN, LAN, and the last two ports are combined as a LAGG.
I have also created 3 VLANs to be tagged on the LAGG trunk. So my LAN port will be solely a management port, and LAGG is my trunk port to the switch.

I am having a hard time understanding different firewall rules. There are many online examples with firewall rules on the LAN and VLANs interfaces.

For example, it seems common to have rules to allow only specific DNS servers using both and "allow" rule and "block" rules in combination.
The allow rule specifies: interface - LAN, source address - ANY, source port - ANY, destination address - LAN ADDRESS, destination port - DNS
The block rule specifies: interface - LAN, source address - ANY, source port - ANY, destination address - ANY, destination port - DNS

Would I copy these rules to each of my interfaces, LAGG and VLANs?
I would then modify the interface, but should the destination address remain as the LAN ADDRESS for each interface, even though the LAN is not my trunk port?

For LAGG it would be:
The allow rule specifies: interface - LAGG, source address - ANY, source port - ANY, destination address - LAN ADDRESS, destination port - DNS
The block rule specifies: interface - LAGG, source address - ANY, source port - ANY, destination address - ANY, destination port - DNS

For VLAN 3 it would be:
The allow rule specifies: interface - VLAN3, source address - ANY, source port - ANY, destination address - LAN ADDRESS, destination port - DNS
The block rule specifies: interface - VLAN3, source address - ANY, source port - ANY, destination address - ANY, destination port - DNS


I assume the port is the physical port and address is an IP address, and in this application I find it confusing.

 

[tgl]

I'd suggest forgetting most of that and concentrating on the ingress rules for your WAN port. That's what a firewall is for. Stuff like blocking outgoing DNS is in the category of "control freak" not a useful security tactic, if you ask me. You'll set your preferred DNS servers in your DHCP parameters, but why do you care if some device decides to use another one?

 

[rawk stoan]

I guess it forces users (kids) to be using DNS servers with some type of filtering. Perhaps I'm misguided in thinking this is a useful way to create some guardrails!

 

[coxhaus]

I'd suggest forgetting most of that and concentrating on the ingress rules for your WAN port. That's what a firewall is for. Stuff like blocking outgoing DNS is in the category of "control freak" not a useful security tactic, if you ask me. You'll set your preferred DNS servers in your DHCP parameters, but why do you care if some device decides to use another one?

You do not want to allow someone to use a bad DNS and allow their device to become infected and infect other deices inside your LAN. Bad DNS is one of the easiest ways to get inside your network. All they have to do is use something like Microsoft.com to write on your PC.

 

[Tech9]

Perhaps I'm misguided in thinking this is a useful way to create some guardrails!

This is the right way to do it in pfSense:

Blocking External Client DNS Queries | pfSense Documentation

docs.netgate.com

Perhaps similar in OPNsense. You don't block, but redirect port 53 to internal DNS server (Unbound in pfSense/OPNsense case).

I keep IPv6 disabled, block DoT port 853 and known DoH servers in pfBlockerNG as extra measures. Find alternatives to do similar in OPNsense.

 

[ddaenen1]

I don't want to hijack the topic but is there actually an advantage of using a different router network port for each VLAN? I currently have VLAN1 and VLAN10 (default/public) and they are both configured on ix0 (VLAN10 being on interface ix0.10). I do have 2 1gbe network ports left on my pfSense router as i added the x550-T2 and as always, wondering if i can put them to use. Ofcourse, as a downside i see that i will occupy one additional port on the switch, but i still have enough open.

 

[coxhaus]

I don't want to hijack the topic but is there actually an advantage of using a different router network port for each VLAN? I currently have VLAN1 and VLAN10 (default/public) and they are both configured on ix0 (VLAN10 being on interface ix0.10). I do have 2 1gbe network ports left on my pfSense router as i added the x550-T2 and as always, wondering if i can put them to use. Ofcourse, as a downside i see that i will occupy one additional port on the switch, but i still have enough open.

The only advantage that comes to mind is if you are exceeding bandwidth of a port. Lagg would work as well.

There is an advantage of using one layer 3 switch so you can process all local traffic within one switch backplane. If you had enough ports on your pfsense for all ethernet connections, then you could simulate this. Switches are built for this and pfsense is not.

 

[ddaenen1]

The only advantage that comes to mind is if you are exceeding bandwidth of a port. Lagg would work as well.

There is an advantage of using one layer 3 switch so you can process all local traffic within one switch backplane. If you had enough ports on your pfsense for all ethernet connections, then you could simulate this. Switches are built for this and pfsense is not.

Currently, there is no port bandwidth issue since i have capped the bandwidth for the guest network to 25mbps and i have no device that pulls anything close to 1 Gbps which is the max WAN speed anyways. I am not at the level that i can configure L3 on my switch and from what i understand, pfSense doesn't like it either. I am happy with the setup. I am just always looking for small things that make it better. The X550-T2 is 10Gbe per port so highly unlikely that i would get into trouble there either. My thinking was that splitting the VLAN ports on the router was maybe more secure before you have a physical split between both VLANs.

 

[Christos]

I don't see a reason why someone needs much inter-VLAN traffic and bandwidth.
In home labs and SMBs, vlans are created for guests, cameras, IoT etc. These devices have little to no communication with other vlans, making a L3 switch a waste.

 

[coxhaus]

I don't see a reason why someone needs much inter-VLAN traffic and bandwidth.
In home labs and SMBs, vlans are created for guests, cameras, IoT etc. These devices have little to no communication with other vlans, making a L3 switch a waste.

The L3 switch allows you to create IP ACL lists, access control lists, to control security without having to traverse to a firewall or router depends on your definition. You can do it all in the L3 switch at line speed.
How do you share printers among vlans? I want my guests to be able to print. I also want my guests to be able to share files if they want to.

 

[Christos]

The L3 switch allows you to create IP ACL lists, access control lists, to control security without having to traverse to a firewall or router depends on your definition. You can do it all in the L3 switch at line speed.
How do you share printers among vlans? I want my guests to be able to print. I also want my guests to be able to share files if they want to.

In my case, pfsense (the firewall) connects the 2 interfaces (one for each vlan). There are firewall rules for each vlan and mDNS service for broadcast traffic to passthrough between the vlans. No static routing needed.

If there are many L2 switches, I understand the need for some L3 switches to connect them and then the L3 switches connect to the firewall, but in a smaller network I don't see a benefit in speed from L3 routing.

 

[coxhaus]

I am an old, retired network guy and I ran a lot of L3 switches in the past. It is fun to do for me.

I don't like running separate interfaces on pfsense for vlans. You might as well not run vlans if you are going to run separate physical interfaces. That is the way we ran networks before vlans. We also ran multiple IPs so we could run multiple networks on a single wire. vlans simplified all that using 1 physical interface.