New User Firewall Help

emgrogean

New to both pfSense and firewalls, so any help would be appreciated.

My network runs a point of sale software, and whenever I have my Netgate firewall on the same network, I am unable to open the software. Assuming this is a problem with the firewall, I've tried allowing the ports through that are specified on the software's website, but no luck. I'm not sure if I'm actually adding them correctly, or if I'm missing something. I've tried adding the rules on LAN and as floating rules, but neither method worked. There's also something mentioned about file exemptions on the software's website, but I can't find anything regarding these when I'm in the firewall. Again, any assistance in allowing the software through the firewall would be appreciated.

johnpoz

@emgrogean The default lan rules are any any.. Pfsense would not block anything outbound from the network.. Unless altered these rules, are running something that could prevent said traffic outside the default rules. IPS, pfblocker could be blocking resolving something you are trying to resolve.

Does this POS sale system require inbound port forward, ie unsolicited inbound traffic - this seems unlikely to be honest.

What is this website your looking at for your POS software that mentions file exemptions?

When you say have your netgate firewall on the same network - what does that mean? Are you trying to put pfsense behind some other router/firewall - this could cause problems if the wan of pfsense was the same as the lan of pfsense. But this would really prevent anything from working not just some pos software.

Are you running any packages, IPS, Proxy, pfblocker that could possible cause issues if not used correctly. But out of the box pfsense default rules allow any and all outbound traffic..

emgrogean

Thanks for replying. I don't think the POS system requires any unsolicited inbound traffic, but I can't be 100% certain.
I found the file exemptions here: https://quickbooks.intuit.com/learn-support/en-us/point-of-sale-hardware/firewall-configuration-for-quickbooks-desktop-point-of-sale/00/369816

When I say I have the Netgate firewall on the same network, I mean that occasionally I switch out the router that is currently on the network for the Netgate firewall to see if I'm able to use the POS. I can't keep the Netgate firewall on the network until I have it working, since we need to be able to use the POS software.

I've downloaded Snort, but I don't have it running while I'm trying to figure this out.

johnpoz

Do other things work when you switch out the router for netgate? Like just normal websites?

edit: that link talks about firewall you would be running on the machine running the pos software. Not an edge firewall.

Ie the windows firewall or other security software you might be running.

edit2: Do you have some other server running on your network for this? That you might have put on a different network via pfsense, ie vlan or other interface? Or do you just have the 1 device that uses the internet for all your POS stuff?

emgrogean

The setup is that all of the computers on the network are in a workgroup, and one computer houses all of the files that the rest of the computers need access to, which are shared via a shared drive. When I switch the router out for the netgate, normal websites work, and I can pull up any files that are housed in the shared drive on any computer, including the company data that is used by both our financial software and the POS. I can open the company data file with the financial software, but I can't open it with the POS, which is what made me think it was a firewall issue to start with.

johnpoz

@emgrogean if all the devices are on the same network/vlan - pfsense has no control or interaction with communication between devices.

If your having issues with accessing files for some pos system on your lan from some other machine on your lan - pfsense would not have any way to interfere with said communication.

Really the only way pfsense could be involved at all with such communication would be resolution via dns of some fqdn that resolve before, and now pfsense doesn't know how to resolve that for some client asking for it.

Or possible dhcp, where your old router handed out IP X to some box on your lan, and now its getting IP Y..

But actual communication between devices on the same network - pfsense has no clue that is even happening. And no way to prevent it or allow it..

If your IP ranges have changed - its "possible" that said pos software configuration be it where its looking for said files off this other server needs to be updated. Or possible firewall rules that were done via the software on that pos box need to be corrected since IPs have changed on your network, or even just say your server box having .x vs .y now on the same network.

emgrogean

@johnpoz Thanks for the help. If it's not the firewall, I'll do some more investigating to try and figure out what the exact problem is. I've kept the same IP ranges, so I don't think that's the issue, but I'll look into the DHCP. Thanks again!

johnpoz

@emgrogean another "hint" if you will to look at.. If these boxes are windows. When the gateway is changed.. Ie the mac address of the gateway IP, even if the same IP - like when you change routers.

Windows can change its firewall profile, because it thinks its on a different network even if the IP ranges are the same. When windows changes its firewall profile this could break some stuff.. Lets say your pos firewall rules allowed xyz before, but now vs being on a private profile your on a public profile where these things are no longer allowed.