Firewall Rule Not Working
-
I know the topic is a little misleading because I'm sure that I'm the one that's not working :)
At any rate, I have 2 separate networks. LAN 192.168.1.0/24 and NETGEAR 192.168.80.0/24. For the life of me I can't get the proper rule setting to allow a specific host from 1.0 network in to the 80.0 network. I've tried as many variations as I can think of with no luck.
Here is what the current rules look like for both networks:
I realize that there isn't a current rule on the NETGEAR network that shows my attempts because I deleted them in frustration. Here is something that I've tried and it doesn't matter whether I try and allow the entire LAN in or a single host, it gets blocked.
One other thing that I don't understand, is when I am on either network and use terminal to ping either way the don't go through. When I use Diagnostics in pfSense and ping from either way they go through.
Any insight on what I am missing and doing wrong here is greatly appreciated.
-
@nosenseatall Is that Netgear a router in which the 192.168.80.0/24 is behind of ?
-
@mcury Yes, but I don't have it doing any routing. It is in access point mode.
-
@nosenseatall Ok, so the pfsense is the default gateway of both networks.
It should be working, the firewall rules are correct...Maybe Windows Firewall could be blocking ?
-
@mcury Thanks for the help - unfortunately there are no other firewalls in the way.
-
@nosenseatall Try to ping other devices in the 80.0 network.
Just note that if you are pinging a Windows machine, it has Windows Defender Firewall enabled by default -
@nosenseatall said in Firewall Rule Not Working:
One other thing that I don't understand, is when I am on either network and use terminal to ping either way the don't go through.
To ping from Netgear to LAN you will need to create an allow rule in the Netgear rules to allow the ping to to the LAN network. You do not have to create a similar rule on the LAN rules.
Are you sure that the Netgear access point is set to respond to pings?
-
I know this isn't the most exciting topic, but does anybody else have any suggestions that might get me over the hump?
-
@nosenseatall
Did you obey this hint from @mcury?Just note that if you are pinging a Windows machine, it has Windows Defender Firewall enabled by default
You didn't address it anyhow.
The ping tool from pfSense is very useful to investigate that. You mentioned above, ping works.
But you can change to source address to another subnet. When the ping stops working with this, you should go and check the destination devices firewall. -
@viragomann Windows Defender is not an issue here since I am using a Mac. The firewall for the Mac is turned off so it's not a host firewall issue.
Thanks for the reply.
-
@mcury said in Firewall Rule Not Working:
Try to ping other devices in the 80.0 network.
What about it ?
-
@nosenseatall said in Firewall Rule Not Working:
NETGEAR 192.168.80.0/24
And does this netgear your using as AP have a gateway set on its LAN interface.. Most soho routers do not allow such a feature. And I have no idea what it does when your using their so called "AP MODE"... where it bridges the wan interface into the bridge. It most likely still uses its lan settings, which do you have a gateway set pointing back to pfsense?
Sniff on pfsense 192.168.80 interface while you ping.. Do you see the traffic go out - but no response? Then the device never got it, even though pfsense sent it.. Or it didn't know how to answer because it has no gateway, or it points to something else as its gateway.
The firewall for the Mac is turned off so it's not a host firewall issue.
Same test.. Sniff on pfsense.. Do you see it send on the ping.. What rules are what there.. What is the 192.168.1 (lan) what is the 192.168.80 (netgear)?
What are you pinging from lan 192.168.1.what? To what on the 192.168.80? Can you ping the 192.168.80 pfsense IP? If so then your rules are correct on the interface traffic is coming from.
Rules are evaluated on the interface where traffic would enter pfsense from the network attached. Top down, first rule to trigger wins, no other rules are evaluated.
There are no rules required on the dest network interface.
Do have any floating rules?
-
@mcury all hosts on 80.0 network can ping each other. All hosts on 1.0 network can ping each other. No communication between networks.
-
@nosenseatall said in Firewall Rule Not Working:
All hosts on 1.0 network can ping each other.
This is normal, pinging hosts in the same network goes through the switch (layer 2/mac address), and not through the gateway.
Check what Johnpoz suggested above, in case you have doubts just post here.
-
@nosenseatall Still not saying what is what..
Here my lan is 192.168.9.0/24 pfsense IP is 192.168.9.253
My dmz segment is 192.168.3.0/24 and pfsense IP is 192.168.3.253I can ping that from my lan pc 192.168.9.100
The dmz rules mean nothing for this.. Pinging anything on the dmz network has zero to do with the rules on the 192.168.3 interface.. Now if I try and ping something on the dmz and I sniff I will see traffic going there.
From the same 192.168.9.100 machine
The only thing that is required for pfsense to send on the traffic is it has to know the mac of the 192.168.3.10 device. Doesn't matter if that device answers or not, you would still see the requests go out.
-
@johnpoz Thank you for both of your posts. I am going through the process now.
