Perfect! The rules was the problem, i tried fiddling with them earlier but i guess i got something wrong. Now its working! Thanks! Gonna reconfigure and change the live firewall later and see if it takes care of the original problem with the unreachable host.
Ah yes there is only /31 available.
But this is only if you select in the drop-down "network".
You can select "Single host or alias".
With that you can specify a single IP.
If i assign 202.61.42.18.1/24 as Gateway to Machine running behind Pfsense then how traffice will pass through Pfsense.
if i donot assign Public Ip that is 202.61.42.18 to my WAN interface of Pfsense then after bridging LAN interface with Wan at Pfsense
at what IP ADdress i can access Pfsense Managment Console.
I have the same problem with Radius, although I'm not running the latest pfSense. So yes, in general, PF scrubbing + Radius = not working is certainly a normal feature.
OK, thanks for the quick answer - I was afraid that might be the case. The ability to use URL's into the rules (or at least into an alias) would be a nice feature at some point in the future.
Until that day arrives I'll hard code the IP addresses into an alias.
The CIDR is assigned by DHCP too obviously btw.. I'm not sure how to check the actual CIDR of the dhcp allocation - the system log only says the ip address without netmask or CIDR..
Ok here is what I used. But file and procedure is in french… but a give a quick howto HERE.
PM me if someone is interested and doesn't understand everything.
First you need a "table" which will contain the IP list.
edit /etc/inc/filter.inc
SEEK
#SSH Lockout Table
table <sshlockout> persist</sshlockout>
ADD AFTER
#LOCK STATIONS
table <stations>persist</stations>
Then you need the filter rule for the "stations" table.
edit /etc/inc/filter.inc
SEEK
/* optional interfaces */
$optcfg = array();
generate_optcfg_array($optcfg);
----> ADD HERE !! <----
if (is_package_installed('squid') && file_exists('/usr/local/pkg/squid.inc')) {
ADD
/* Internet LOCKING */
$ipfrules .= "\n#Block internet on some workstations\n
block quick from <stations>\n\n";</stations>
Save file and reload filter from web manager pages.
Do an ls -lt in the /tmp folder to see if rules.debug is correctly generated.
You can cat the file and grep it to see if the text you added is correctly added and at the good place.
You can now manage it with:
pfctl -t stations -T add 10.x.x.x
pfctl -t stations -T show
pfctl -t stations -T delete 10.x.x.x
Then add some php scripts in a folder in :
/usr/local/www/stationlocking/
Code it and add youself authentification system in these webpage.
Exemple: file /usr/local/www/stationlocking/station-lock-10range.php
session_start();
$username = "scott";
$password = "tiger";
if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW'])) {
header("WWW-Authenticate: Basic realm=\"BOSS ACCESS\"");
header("HTTP/1.0 401 Unauthorized");
echo "NOT ALLOWED";
exit;
}
else {
if($_SERVER['PHP_AUTH_USER'] == $username && $_SERVER['PHP_AUTH_PW'] == $password) {
//SOME CODE IF AUTH IS CORRECT, OR PLACE IT AT END OF SCRIPT SINCE ERROR = EXIT
}
else {
header("WWW-Authenticate: Basic realm=\"BOSS ACCESS\"");
header("HTTP/1.0 401 Unauthorized");
echo "NOT ALLOWED";
exit;
}
}
system ( 'pfctl -t stations -T add 10.10.10.10' );
system ( 'pfctl -t salles -T add 10.10.11.11' );
?>
<center>
### DONE LOCKED FOR 10.10.10.10 and 10.10.11.11
</center>
Now by browsing http://pfsense/stationlocking/station-lock-10range.php and giving good credential you can block 10.10.10.10 10.10.11.11
Script to unlock is the same but with delete instead of add. And you can use status to get status (i didnt code status maybe you will need to use passthru instead of system).
