Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cross interface talk (how to)

    Firewalling
    2
    22
    1.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tknospdr
      last edited by

      Link is to pic of my network layout.
      I'm trying to figure out what the FW rule would be that would allow me to access the web GUI of my WAP from the SECURE wifi.

      10.0 is the management subnet
      AP's static IP is 10.100.10.9

      As of right now, the 20.0 FW has allow any rules set up and the 10.0 FW has only one rule to allow traffic out to talk to my cloud RADIUS auth server.

      Right now I have to switch to the wifi associated with 10.0 in order to access the GUI.

      My network

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @tknospdr
        last edited by

        @tknospdr said in Cross interface talk (how to):

        As of right now, the 20.0 FW has allow any rules set up

        The rule might pass the access to the webGUI of the AP, but possibly the AP itself blocks it, because it's from outside of it's subnet.
        Or it cannot route, since it doesn't have a default gateway set.

        T 1 Reply Last reply Reply Quote 0
        • T
          tknospdr @viragomann
          last edited by

          @viragomann

          I'll have to double-check, but I thought I was able to access the GUI when I had an ANY rule on the 10.0 interface.

          1 Reply Last reply Reply Quote 0
          • T tknospdr referenced this topic on
          • T
            tknospdr
            last edited by

            Either something changed, or (more likely), I was on the management enabled SSID and didn't realize it.
            I put the ANY rule back in place and I still couldn't get to the GUI of the AP from a different SSID.
            There is no separate FW or setting that I can find that restricts access beyond normal user auth.

            So the question remains, can I force traffic across interfaces? Maybe it's not really a FW issue, but something else I need to do.

            I used to be able to access the interface from the Internet when it was in router mode, maybe I can continue to do that by doing a port forward and hitting it from the ext IP address?

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @tknospdr
              last edited by

              @tknospdr
              pfSense routes traffic by default to the other interface if it is destined to a connected device. You need just a proper firewall rule to pass it.

              Again to what I mentioned already above:
              Does the AP have a gateway setting?
              If yes, is it correctly?
              Is the network mask set correctly?

              It's probably that it blocks access from outside of its own subnet by default. Maybe there is an option to allow this.
              If there is no option allowing outside accesss, you could masquerade traffic on pfSense destined to the AP as a workaround.

              T 1 Reply Last reply Reply Quote 0
              • T
                tknospdr
                last edited by tknospdr

                Okay, so I just opened the port and am able to get on the GUI via the internet from outside the network.

                So there's got to be a way to do the same thing without going outside the network and back in.

                1 Reply Last reply Reply Quote 0
                • T
                  tknospdr @viragomann
                  last edited by

                  @viragomann said in Cross interface talk (how to):

                  Again to what I mentioned already above:
                  Does the AP have a gateway setting?

                  Yes, 10.100.10.1, it's the address of interface it's on.

                  If yes, is it correctly?

                  I believe that's what it's supposed to be, no?

                  Is the network mask set correctly?

                  I think so, it's 255.255.255.0

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @tknospdr
                    last edited by

                    @tknospdr said in Cross interface talk (how to):

                    Yes, 10.100.10.1, it's the address of interface it's on.

                    If yes, is it correctly?
                    

                    I believe that's what it's supposed to be, no?

                    It has to be the interface IP of pfSense. I guess, that's the case.

                    Is the network mask set correctly?

                    I think so, it's 255.255.255.0

                    I assume, you have a /24 subnet, so it's fine.

                    T 1 Reply Last reply Reply Quote 0
                    • T
                      tknospdr @viragomann
                      last edited by

                      @viragomann

                      Here's a pic

                      V 1 Reply Last reply Reply Quote 0
                      • V
                        viragomann @tknospdr
                        last edited by

                        @tknospdr
                        Seems all correct so far.

                        T 1 Reply Last reply Reply Quote 0
                        • T
                          tknospdr @viragomann
                          last edited by

                          @viragomann said in Cross interface talk (how to):

                          @tknospdr
                          Seems all correct so far.

                          Indeed, so... ?

                          As of right now I've set up a DDNS name and a port forward thru the WAN in order to access it no matter where I'm at, but it seems silly to send requests outside the network only to come back in for local access.

                          V 1 Reply Last reply Reply Quote 0
                          • V
                            viragomann @tknospdr
                            last edited by

                            @tknospdr
                            For sure you should be able to access the AP from the other subnet.

                            So you have a firewall rule in place to allow this?
                            Then enable to logging in the rule and check the log to find out if it even matches the traffic.

                            Also enable logging of the default blocks and check if concerned packets are blocked.

                            Also I would sniff the packets on the interface, where the AP is connected to, to verify that both, request and respond packets are passing pfSense. Since the AP is multi-homed, maybe it sends responses out on the wrong interface. However, it shouldn't do this at all if it's really in AP-mode.

                            T 1 Reply Last reply Reply Quote 0
                            • T
                              tknospdr @viragomann
                              last edited by

                              @viragomann said in Cross interface talk (how to):

                              @tknospdr
                              For sure you should be able to access the AP from the other subnet.

                              So you have a firewall rule in place to allow this?
                              Then enable to logging in the rule and check the log to find out if it even matches the traffic.

                              So I'm really new to pfSense. Can you help me out with what the FW rule should look like?
                              The management interface is on interface ETH3, the AP's static IP is 10.100.10.0, and the GUI runs on port 8001.
                              The interface I'm connected to when sending the requests is ETH3_20_SECURE, subnet is 10.100.20.0

                              Also enable logging of the default blocks and check if concerned packets are blocked.

                              Also I would sniff the packets on the interface, where the AP is connected to, to verify that both, request and respond packets are passing pfSense. Since the AP is multi-homed, maybe it sends responses out on the wrong interface. However, it shouldn't do this at all if it's really in AP-mode.

                              Once I'm sure I've got the correct FW rules on the correct interfaces, then I'll tackle learning how to sniff packets et al.

                              The rule should be on the 20.0 interface since that's where the packets are coming from right?

                              V 1 Reply Last reply Reply Quote 0
                              • V
                                viragomann @tknospdr
                                last edited by

                                @tknospdr
                                Yes, the rule has to be on the incoming interface, so ETH3_20_SECURE.

                                So to allow access from the whole subnet the values should be:
                                Interface: ETH3_20_SECURE
                                address family: IPv4
                                protocol: TCP
                                source: ETH3_20_SECURE net
                                destination: single IP > 10.100.10.9
                                dest. port: 8001
                                Log checked
                                enter a description

                                However, since you said you didn't get access even with an allow any to any rule, I suspect that it's not on the firewall itself.

                                In Status > System Logs > Settings check "Log firewall default blocks".

                                Try to access and then check the firewall logs for concerned blocks.

                                T 2 Replies Last reply Reply Quote 0
                                • T
                                  tknospdr @viragomann
                                  last edited by

                                  @viragomann

                                  Idiot power company cut the fiber to my house for the 2nd time this month.
                                  So I'll have to wait till I get home to create any rules and do any testing.

                                  Will report as soon as I can.

                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    tknospdr @viragomann
                                    last edited by

                                    @viragomann said in Cross interface talk (how to):

                                    Try to access and then check the firewall logs for concerned blocks.

                                    There are no entries in the log.

                                    V 1 Reply Last reply Reply Quote 0
                                    • V
                                      viragomann @tknospdr
                                      last edited by

                                      @tknospdr
                                      If you've enabled all rules logging and there is nothing in the log, the packets doesn't pass pfSense obviously.
                                      In the rule set do also see any state or bytes?

                                      Are sure that the AP is running in real AP-mode? Does it have IPs in both subnets?

                                      Yes, you can run a packet capture on ETH3_20_SECURE to see if there is any packet coming in, when you try to access the AP from this subnet. But I'm in doubt.

                                      1 Reply Last reply Reply Quote 0
                                      • T
                                        tknospdr
                                        last edited by

                                        I feel like I've tried every possible set of rules, and like you said, since even an ANY/ANY/ANY rule wasn't passing the traffic I've given up.

                                        I created a NAT rule to pass outside traffic to the AP, and then I turned on 'Pure NAT' reflection. I know it's not the most elegant solution, but I can now access the GUI from any internal subnet as well as from outside if I need to.

                                        1 Reply Last reply Reply Quote 0
                                        • T tknospdr referenced this topic on
                                        • T
                                          tknospdr
                                          last edited by

                                          I just re-read the thread, you also said something about IP masquerading.

                                          How would I do that to see if it's a viable solution?

                                          T 1 Reply Last reply Reply Quote 0
                                          • T
                                            tknospdr @tknospdr
                                            last edited by

                                            Answering my own question (partially).
                                            I set up a NAT 1:1 rule and I'm now able to access the WAP GUI on it's internal IP address from this computer, but it's tenuous.
                                            I had to create the rule using the IP address of this computer that is subject to change via DHCP.
                                            When I changed the rule from IP to 'net' it broke.
                                            Is there a way to do the masquerading via the whole subnet I want to connect from, or should I just stick to the NAT reflection that I've already set up?
                                            It's certainly much faster to respond via IP.

                                            I guess it's probably not an issue for most folks, but I'm a bit of a computer hoarder, I access my network from a small army of different devices. Inside my home I may connect from my desktop Mac, or one of my two different laptops depending on where I am, then there's the iOS app I can connect on from either my iPhone or iPad. And I swap out my computers on a semi-regular basis.

                                            I'm an Apple Certified hardware tech so I always find good deals that then make their way to my armada.

                                            V 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.