Seeking advice for first Guest network

[Seldon]

Hi everyone,
I'm fairly new to tinkering with firewalls, so I'm bound to make lots of mistakes, so I'd thought I'd might dip my toes in by creating a guest VLAN and trying out some Rules, and wanted to get some feedback. I have a screenshot of my Rules attached. Anything to look out for, missing, general advice? Are there any must have Rules for guest networks over others? Did I make any mistakes? :)

[meyergru]

There are lots of problems with those rules.

First, you have to ask yourself what you want to achieve by separating out a guest VLAN.

Usually, this is used to protect your "valuable assets" in your main LAN from anyone who may just use your internet connection. In order to do this, you should have rules in place to protect your LAN from the guest VLAN.

Your rules show an attempt to further regulate the traffic originating from your guest network. This is debatable at best and your rules do not provide that, either. The way you currently do it would keep most guests from browsing anything at all, because current browsers use DoT on port 853, which you do not allow. On the other hand, because you allow port 443, anybody could use DNS via DoH, so you do not block external DNS requests effectively.

Before I go on to show what is wrong with your rules, I tell you what mine are:

1. I have floating rules to allow traffic that I need to allow basic network functions for all local networks - that includes the guest VLAN.
Those would be DNS (53/UDP) and NTP (123/UDP). I also allow access to specific resources there, like a printer on my IoT VLAN.

2. In the VLAN-specific rules, I have one rule to allow any to any, like the default LAN rule. This will allow guest clients to access anything on the internet. Why? Frankly, because you cannot effectively regulate traffic, there anyway. The only thing you have to do there is a block rule to an alias "RFC1918", which has to be placed before the "allow any" rule, in order to keep guests from accessing your local networks.

That is about it.


Now for your rules:

- Allow DHCP Port 67/UDP: This rule is unneccesary AFAIR, because that is allowed in the "Automatically generated rules" already. Delete it.
- Allow DNS Port 53: Only needed with UDP and should beplace in floating rules for all local network interfaces. Move it there.
- Block External DNS Port 53: Why would you? These days, browsers mostly do DoT or DoH, anyway. As long as you do not block that, either, this is fruitless. If you want to block it: This is very complex and frankly, at your current level, you would not succeed in doing it. Leave it be, delete the rule.
- Block access to firewall management: Since this rule comes before the next rules, it would block anything after it, like "Allow NTP", so it is misplaced. If at all, you should move it further down in the list. Then again, it is not needed at all, because there already is an implicit "block all" rule at the end of the list. Rule of thumb: order matters! Delete it.
- Block access to private/internal networks. Yes, keep it.
- Allow Inbound Connection Ports 80-443: Problem here is, you allow not only ports 80 and 443 ofr HTTP and HTTPS, but anything in between, including NTP (123) and many others. If you really want ports 80 and 443 only, you need either two rules or a "Port" alias for web traffic consisting of port 80 and 443. I would say, delete the rule and replace it by an "allow any" rule.
- Allow Outbound traffic Port 443-80: You never need to have a firewall rule for outbound directions (with only a few exceptions), even less so for an existing inbound rule. The responses to allowed traffic are always allowed. Delete it.
- Allow NTP Port 123: Move the rule to floating.
 

[Seldon]

Thanks so much for your help, in advance. Firewall rules are quite daunting to me, but I believe (and hope!) that my understanding is getting a bit better.

Here's my Guest VLAN, along with the added Floating Rules.

You cannot view this attachment.

Here's the Admin VLAN, with a few restrictive rules:

You cannot view this attachment.

Here's my Home VLAN:

You cannot view this attachment.

I have to access the WAN net because I'm behind another NAT unfortunately. Should The Admin Aliases to Firewall be placed in the Floating, or are they best left specifically for the Admin VLAN rules?

[OPNenthu]

Here's my Guest VLAN, along with the added Floating Rules.

You cannot view this attachment.

I know that @meyergru will be around to point this out but Floating rules apply to all interfaces by default, unless you change it in the rule.  You currently have DNS and NTP open on WAN.

In the language that he used above, he mentioned local interfaces:

Allow DNS Port 53: Only needed with UDP and should beplace in floating rules for all local network interfaces. Move it there.

In this context "local interfaces" means internal ones, like LAN and Guest.  WAN is considered an external network and is to be excluded from these rules.

[coffeecup25]

Just to throw this into the hat, If your router has a spare port, why not put it on a 2nd subnet? Add a new interface then define the network. Firewall rules are easy. Copy the default rules from LAN to the new subnet and edit accordingly. Then add another one to prevent access to LAN. On LAN, add a rule to prevent access to the new subnet.

That's about it. That's how I have my IOT subnet set up.

I had a switch controlled VLAN once but it was unstable. It took the entire network down to 100mb for no particular reason one day. That prompted the 2nd subnet solution.

[meyergru]

I have to access the WAN net because I'm behind another NAT unfortunately. Should The Admin Aliases to Firewall be placed in the Floating, or are they best left specifically for the Admin VLAN rules?

If they are really VLAN-specific, they do not need to be in the floating rules. As I said, I put everything there that I need to have for many VLANs or things that must override inbound NAT rules. Those with "pass" rules are evaluated before any interface-specific rules, so they must be done in the floating rules. As an example, when you want geoblocking on WAN, you may have to do that in the floating rules, because otherwise, your forwarded ports will not be protected.

[Seldon]

@coffeecup25 My router, which is no more than a mini PC with an added Ethernet port, needs VLANs because of only one LAN Ethernet port. I haven't had any instabilities so far with the VLANs (fingers crossed), I'm curious what causes that.