Rules not blocking guest network from firewall or other VLANS
-
@rve52001 said in Rules not blocking guest network from firewall or other VLANS:
I can log in the Guestnetwork and log into the firewall
If you are on the GUESTLan and the client you are connection with is on the GUESTLan then that is not possible, your first rule does prevent that.
Can you show the interface overview and the client configuration?
-
@patient0 these are all the rules for the Guestnetwork
-
@rve52001 said in Rules not blocking guest network from firewall or other VLANS:
these are all the rules for the Guestnetwork
Is the client getting an IPv4 and IPv6 address? Do the block rules worth with either IPv4 or IPv6?
None of the blocking rules are matching ever and that is just not possible if the client is on the GUESTLan interface with an GUESTLAN IP, you have created the rules correctly.
-
@patient0 That is why I am at a lost. Everything is configured correctly. Yes guest get both IPv6 ane IPv4. When I am on the guest network, I can ping the firewall on all VLANs. I even changed the rule to just IPv4 and pinged the IPv4 address to the router and it still doesn't block.
-
@rve52001 said in Rules not blocking guest network from firewall or other VLANS:
That is why I am at a lost. Everything is configured correctly.
Can you show the IP configuration of the client and a traceroute to a) the firewall IP (192.168.30.1) and some external IP?
-
@rve52001 I totally forgot: what floating rules do you have? Floating rules get applied before the interface rules.
-
@rve52001 for reference Netgate has examples such as https://docs.netgate.com/pfsense/en/latest/solutions/netgate-4200/opt-lan.html#isolated
Check through https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#new-rules-are-not-applied
Your second and third rules are redundant because the top rule already blocks to pfSense. If you meant to block to LAN then you need to use LAN Subnets etc. not LAN Address.
-
@SteveITS
Thats part of the problem, the first rule is not blocking at all and cant figure out why. -
@rve52001 Any errors in the filter reload per the troubleshooting?
Rules don’t apply because something doesn’t match: source/interface, port, destination.
-
@SteveITS said in Rules not blocking guest network from firewall or other VLANS:
because something doesn’t match: source/interface, port, destination.
Completely agree - but with the rule he is showing ipv4+6 any any to any firewall IP.. It would clearly match trying to open up the webgui of pfsense.
But clearly it shows it has never triggered with that 0/0 - so 2 things that come to mind is there is a state currently open that is allowing the traffic even with the block rule added. Other is there is a floating rule that is triggered to allow it before that rule would get evaluated.
edit: other thing would be he is not actually talking to pfsense via that specific interface, and the interface being used has different rules that allow the access.
So would like to see floating tab rules, take a look in the state table. Like to see clients IP address.. With that rule in place a client on the guestlan subnet should not even be able to ping the pfsense guestlan IP 192.168.30.1 let a lone access the gui.
