PFsense/Snort Setup

Cool thanks, I may actually set WiFi up on a separate interface and just allow a static address for my iphone to have full access in the firewall, I dont feel like having to allow certain protocols and whatnot, I run all static addresses in my network anyway for security reasons (more paranoia but hey)

As for the subnetting I did a few tests this evening (everyone does subnetting on a Friday night right?) and here is what I found

Setup a router with following config:

Router IP: 192.168.39.1
Mask: 255.255.255.128 /25

First subnet info:

First Host: 192.168.39.1
Last Host: 192.168.39.126

Second Subnet info:

First Host: 192.168.39.139
Last Host: 192.168.39.254

If I set my laptop IP to 192.168.39.5 (within first subnet) obviously I can ping the router.
On the other hand if I set it to 192.168.39.145 (within second subnet) I cant ping the router.

I guess my question is, how do you get the 2nd subnet to talk to the router?

second question would be if you had a massive network with multiple subnets all needing to talk to each other how would you get that to work?

You need to have a second interface in the router with an IP in the second subnet.

For example on my network I have a LAN interface on pfsense with an IP of 10.1.1.3 in the 10.1.1.0/24 subnet. I then have a DMZ interface with an IP of 10.1.3.3 in the 10.1.3.0/24 subnet. This allows devices on the LAN network to communicate with devices on the DMZ network.

It won't work if you only have one interface and try to have multiple subnets connected to it.

So for an example let's say you had a multi floor building and on each floor you had four sets of offices and you wanted each set of offices on their own subnet to reduce network overhead. What you could do is have a router on each floor which would connect to the four networks on that floor, and then each of these routers would connect back to a central router which would connect to the internet and core network stuff like DMZ and servers ans whatever. So imagine it as you have a bunch of computers which connect to a switch, then a bunch of switches connected to a router, then a bunch of routers connected to a central router.

You can split the network up as much as you like but whenever you need to allow traffic from one network to another it needs to go through a router, and the router need to be in all of the networks it's routing traffic between. Which means it need a network interface (a physical network card, or a logical VLAN interface, something with an IP address) which is connected to each network.

Sorry to have made so many replies, but this video might help explain about routing

https://forum.teksyndicate.com/t/the-basics-of-vlans/66463?u=dexter_kane

Ok i gotcha, I was able to look at a chapter in my Network book and visualize it a little better.

I guess the easiset way to get multiple subnets to route on the same router would be a logical setup as opposed to needing a phsyical port for each subnet.

What entry would you make in the router to get the different subnets to talk to one another?

Also, I finally got my wifi card installed but Im not sure how to setup the card so that its in its own subnet separate from LAN but I will make entires in FW for specific IPs to pass from WiFi to LAN.

I will poke around but Im sure ill need your assistance anywho :)

In the router, getting one subnet to talk to another, would static routes be the answer for this?

Those routes are handled automatically when you create the interface. All you need to do is create the firewall rules you want for each interface.

Adding virtual interfaces to pfsense is pretty easy. You go to the interface assign tab and go to the VLAN page. Then you configure VLANs for whichever physical interface you're using and after that you can assign that VLAN interface to an interface which pfsense can use in the firewall but for that you will need a switch which supports VLANs. Otherwise you will need separate physical interfaces connected to different physical networks for each subnet.

You can see in one of the screen shots I posted above that I have VLAN interfaces assigned to my LAN, WiFi, and DMZ interfaces.

If you have set up your WiFi interface so in your interfaces tab or in your firewall you should see LAN, wan, and WiFi. Then you just create a rule on WiFi to allow access to what you want it to have access to. The easiest way to configure it is to create an allow any to any rule so you can access the internet, then create a block any to LAN rule on top of that to restrict access to the LAN network then on top of that create your allow rules to allow specific IPs to access the LAN.

The other way to allow access to the internet is to create an alias of your local networks and then create a rule that allows access to not that alias. This way your saying allow access to everything which isn't a local network.

Ok so Im ready to do this lol. Note read this from the post not from your email i have made edits to original post. Thnx!!

Ive calculated some out this out with a calculator. My LAN router is 10.39.3.1

So my preferential setup is separating the wifi from the LAN but allowing certain static IP mobile devices to access resources on the 10.39.3.0 network.

With 10.39.3.1 and /27 this gives me a whopping 524288 subnets (should have planned better lol). Ive chosen the 7745th subnet which is 10.3.200.0 which in turn i would set my static WiFi as 10.3.200.2

So from there how would I go about getting this setup to just allow certain static IPs to talk to my LAN of 10.39.3.1? I re-read through some of the posts above but I think some explanations got lumped in with the others.

Okay so from what I understand you should have three interfaces on pfsense. WAN, LAN and WIFI (or OPT1, or whatever you want to call it, but I'll refer to it as WIFI here).

The LAN network is 10.39.3.0/27 with an interface address of 10.39.3.1

The WIFI network is 10.3.200.0/27 with an interface address of 10.3.200.2

If I've got that wrong then you should be able to substitute the correct info in, but that's what I'll be using for this explanation.

There's a couple of things you want to keep in mind when making firewall rules. The first is that the rules are processed first match top to bottom. So that means that traffic is cheacked against each rule from the top of the page down and as soon as it finds a rule that matches then that rule takes effect. So you can have overlapping rules but the first one will be the only one which counts.

The other thing to remember is that the rules are always from the perspective of the pfsense box. This means that inbound traffic is traffic entering one of the pfsense interfaces and outbound is traffic leaving. For example if you're talking about you internet download traffic then on the WAN interface this is inbound traffic as it is entering the WAN interface, but on the LAN interface this is outbound traffic as it is leaving the LAN interface. So when you write firewall rules the source address is always something connected to the interface and the destination address is either pfsense or something on a different interface.

By default pfsense blocks everything so you need to create rules to allow traffic between interfaces. The LAN interface will have a default allow any rule but new interfaces (like your WIFI interface) will not, so by default your wifi devices will have access to nothing. So the default action is to block but for the rules I'm going to show you we will change that and make the default action to allow, the same as it is on the LAN interface. I find this way a little easier to understand and work with but you can do it either way.

The first thing you want to do it create some aliases. Aliases are awesome and I recommend you use them for all your firewall rules. You can use them to create a group of IPs, ports or networks but they're also good for naming a single IP, network or port. So it makes it much easier to see what your rules do.

The first alias you want to make is for the static IPs of the devices on your wifi network which you want to allow access to your LAN network. To create aliases go to firewall>aliases.

Screenshot from 2015-11-25 16-45-05.png1920x1080 263 KB

I've called the alias wifi_allow but you can call it whatever you like. Choose hosts as the type and add each static IP bellow. Now when you make the firewall rules you only have to make one rule for this alias rather than a rule for each IP.

You can also make a similar alias for LAN IPs if you want to allow access only to certain IPs. But if you want to allow access the the whole network then you don't need to worry about it.

The next alias you'll need is a port alias, which I've called management_ports

Screenshot from 2015-11-25 16-49-42.png1920x1080 273 KB

This alias will be used in a rule for added security, which I'll explain when we get to it.

Another alias that I find useful but which won't be used in these rules is a local network alias. This is an alias of all your local networks and can come in handy for some rules.

Screenshot from 2015-11-25 16-52-21.png1920x1080 267 KB

I've set up these rules on my pfsense machine on an interface called TEST, but in your case it will be WIFI or whatever you decide to call it.

Screenshot from 2015-11-25 17-00-38.png1920x1080 273 KB

From top to bottom the rules are:
1. Allow access from the wifi_allowed alias (your static IPs of trusted devices) to pfsense (so you can access the webui)
2. Reject access from any to the pfsense management ports (80 443 and 22). This rules prevents unauthorised IPs from accessing the webui or SSH while allowing them to access DHCP, NTP, DNS etc.
3. Allow access from the wifi_allowed alias to the lan network.
4. Reject access from any to the LAN network. Because of the above rule only the static IPs in the wifi_allowed alias will have access to the LAN and everything else will be rejected.
5. Allow any to any. This will allow access to everything not explicitly blocked by the above rules. You need this rule to alow internet access.

You can remove the first rule and just use the LAN address of pfsense to access the webui, as this will be allowed by the rule allowing access to the LAN network. But it is handy to have access from both interfaces incase you accidently lock yourself out.

The reason I use reject rather than block for internal networks is that it makes the network more responsive. When you try to access something which has a reject rule the connection terminates immediately whereas with a block rule it will have to time out. Blocking is useful for rules on your WAN address as some argue that it adds security by making it hard to tell if there is something at the address or not (block gives no response while reject tells the client that access is denied). If you'd rather use block rules you can.

You can make similar rules on your LAN interface if you like or just use the default allow any to any rule.

Bellow I will give an explanation of how to configure each rule, starting from the bottom as new rules are added to the top (you can move them around if you need to).

Screenshot from 2015-11-25 16-54-38.png1920x1080 274 KB

The allow any rule. Set action to pass, the protocol to any, the source to any and the destination to any

Screenshot from 2015-11-25 16-55-27.png1920x1080 323 KB

The reject LAN rule. Set action to reject, the protocol to any, the source to any and the destination to LAN net. You can also set it to network and manually input the LAN subnet, but the LAN net option will be the same.

Screenshot from 2015-11-25 16-56-34.png1920x1080 271 KB

The allow LAN rule. Set action to pass, the protocol to any, the source to single host or alias and use wifi_allowed (or whichever alias name you chose) and the destination to LAN net

Screenshot from 2015-11-25 16-59-13.png1920x1080 284 KB

The reject pfsense rule. Set action to reject, the protocol to TCP, the source to any the destination address to WIFI address (you can also choose single host or alias and use the wifi interface address here (10.3.200.2)), and the destination port to other and the alias management_ports (or whatever you called it). This rule blocks ports 80, 443 and 22 on the pfsense interface. If you wanted to make this rule stricter you could create an alias of both interface addresses fro pfsense (10.39.3.1 and 10.3.200.2) and use that instead of WIFI address. This will block access to both the LAN and WIFI interface addresses. In this case it makes no difference as access is already denied, but in a more complex configuration you may want to do it.

Screenshot from 2015-11-25 17-00-20.png1920x1080 301 KB

And finally the allow pfsense rule. Set action to pass, protocol to any, source to single host or alias using the wifi_allowed alias, and destination to WIFI address.

Hope you made sense of all that, getting your head around firewall rules can be a little tricky at first but once you understand the logic of it it's fairly straight forward.

You can actually simplify the rules if you want. If you keep the allow any rule and delete the other two allow rules, then change the reject LAN rule so the source address is the wifi_allowed alias and the 'not' box is checked. This will change the rule so that it will reject everything which isn't in the wifi_allowed alias (these will be allowed by the allow any rule). And do the same thing for the reject to pfsense rule.

Thanks for this, I cant stress that enough. Its funny (sad really) as I figured out setting up the rules myself then realizing the screenshots at the bottom has that listed.

I havent done that much fumbling since trying to take off my first GFs bra lol.

Anywho, a few nights ago I took a spare router and setup a laptop with a static IP on a separate subnet and this time, with the info you provided and looking over some subnetting articles I created a static route so the two networks could talk.

Im guessing I need to do something similar to this? How will the 10.39.9.1 network be able to talk to the 10.39.200.3 network otherwise?

I setup the rules as you have them here, I will double check them for good measure.

As it stands I cant ping my router from a laptop wireless with a static Ip set to that of one in the wifi range.

You don't need to set up any static routes as all the routes for interfaces connected to pfsense are configured automatically. You'd only need to do that if you had another router on a network attached to pfsense with some more networks behind it.

Which IP are you pinging? If you're trying to ping the LAN address from the wifi network then make sure for the rule which allows wifi to lan you have the protocol set to any. If it's set to TCP this will only allow TCP traffic and not ICMP traffic which you need for pinging.

You could post a screenshot of your rules so I can check if you'd like, you can also check your firewall log and see if anything is being blocked, it's also a good idea to enable logging on your block rules at least while you're setting them up so you can tell if something isn't set right.

Hmm I must be confused, I did this initial static route test on a Asus home router but from your wording, and my misinterpretation, I thought that routers dont understand subnets automtically.

For example my asus router (10.39.3.1 /27) did know the 10.39.3.0-10.39.3.30 range and can ping any of the addresses listed

Id did not however know the 10.31.40.32 network (hosts for this network= 10.31.30.33-62)
and setting up a laptop with say 10.31.40.40 i could not ping 10.39.3.1, but after adding the static route i could ping 10.39.3.1 and get to the internet and all that.

I know static and dynamic routing is mainly for router to router configuration/setup but apparently it can also be used to tell a router a subnet it didnt know before, which is news to me.

The IP im pining is the PFSENSE LAN IP itself so from 10.39.200.5 to 10.39.3.1 returns a failed ping.

Let me double check my rules i setup and post screens if needed.

Also, the aliases are extremely useful, you are correct about that, its almost like setting up groups in windows permissions then adding individual users to the group....So any administrative changes just needs to be made to the alias/group and the administrative burden is reduced.

I mean that pfsense does that automatically for the networks you configure. You should be able to see it if you go to diagnostics>routes.

On your interface configuration you should have 10.39.3.1/27 for the LAN IPv4 address and 10.39.200.1/27 for the WIFI. So from that pfsense knows what the networks are and where it needs to route the traffic.

Try pinging the WIFI address as well, but from the sounds of it it's a firewall problem. What you can do is disable all but the allow any rule to make sure you can communicate between networks, then re-enable the rules to figure out where the problem is.

Sweet deal its working, thanks soooo much! I had the gateway set incorrectly....durr me

So to try and get my head around some basic things here, so i know for the future.

1. Should static routes be used to tell one router about another router and/or be used to create routes between subnets on the same router?

2. PFsense did create the static route in disagnotics->routes but why didnt me Asus router do the same? Im guessing this is a difference between the routing software but its safe to say these routes are not created automantically by default?

3. if I had a total of 4 subnets for a particular network, each subnet would have a x.x.x.1 interface to act as the 'router' address for that subnet. So assuming the router doesnt create the routes between all 4 subnets and I didnt have physical ports to do this, what would I do/program in the router as a logical setup so each subnet could talk to each other?

I do have a few other Q's but I wanted to hopefully get a better understanding on these ones.

Thanks again Dex!

Let's say you had a LAN network of 10.1.1.0/24 and on that network was a second router with the address 10.1.1.2 and connected to that router was another network of 10.1.2.0/24. You would need to create a static route on the first router to tell it that the gateway for 10.1.2.0/24 is 10.1.1.2.

So you only need to create static routes if you have networks which aren't connected directly to your primary router or aren't on the default gateway. If you set up a site to site vpn you would need to create static routes for the networks on the other end of the VPN, although in pfsense this is usually configured within the VPN configuration.

(I'm having trouble quoting replies)

2 I'm not really sure. I would have thought that if you have one network connected to LAN and another connected to wan then the routes would ebb handled by the default gateway. But I don't know. I just know that on pfsense when you create an interface the routes are added automatically.

3.on pfsense whatever address you assign to an interface becomes the first address in that subnet. Unless the subnet is too big. So 10.1.1.200/24 will give you a subnet of 10.1.1.0/24 but with a smaller subnet you could have 10.1.1.200/30 or something.

You need an interface for each network. If you don't have separate physical interfaces and networks you need to use VLANs which means you need hardware which supports that. You can't have multiple subnets on the same physical network. As far as I know.

Feel free to ask any additional questions.

Ok well having setup my wireless, on my iPhone I am unable to load certain things, mainly and products on the newegg app for exmaple. The app loads its main page but if I click on a product for example it will just load and load and nothing.

I have turned off snort and PfblockerNG with no improvement. I can switch back to my regular wirelss router and get the pages to load with no issues so not sure what in PFsense is causing this. Any ideas?

Also, Im in an apartment and want to reduce the transmission strength of the antennas so it doesnt bleed into my neighbours, I see a few options here but it isnt totally clear on how to go about it.

If it's a snort issue you'll have to clear it's blocked hosts list otherwise they will still be blocked even if you disable it.

Otherwise it could just be the WiFi on pfsense. The WiFi support isn't great and depends a lot on what WiFi card you use. I doubt that if somethings work but others don't that it's a WiFi problem but it could be.

I'm not really sure about the WiFi signal strength settings as I haven't set up WiFi in pfsense before and I don't have any cards that I could test. But anything which gives units in dB or mW will be the signal strength.

At the end of the day you're probably better off repurposing your old router as a wireless access point and using that in conjunction to pfsense as the WiFi support isn't great. Do you have the same issues on the lan or is it just WiFi devices? If it's both then it probably is snort.

Right, so once I removed the blocked hosts from snort and disabled the service it worked successfully.

So I guess my question is, how do I prevent Snort from blocking legit traffic while still blocking bad stuff? I know its a balancing act but do I have to white list certain things in snort every time I cant do something?