Is this all possible with Pfsense?
-
chance the ipadress of youre laptop
192.168.1.255 is a broadcast adress
a pc will use that ipadress if it has somthing to tell to all the clients on the network
192.168.1.254 is the last ipadress you can use
with 192.168.1.0/24 -
Hi Jeroen,
Thanks for the tip, I changed the range immediately to 254 and my new IP is 192.168.1.254
and in the system logs I see this entry: dhcpd: icmp_echorequest 192.168.1.254: Operation not permittedFirewall logs:
Oct 12 13:26:13 WlanDMZ 192.168.1.254:60527 192.168.1.1:53 TCP
Oct 12 13:26:13 WlanDMZ 192.168.1.254:60525 192.168.1.1:53 TCP
Oct 12 13:26:12 WlanDMZ 192.168.1.254:60523 192.168.1.1:53 TCP
Oct 12 13:26:12 WlanDMZ 192.168.1.254:60521 192.168.1.1:53 TCP
Oct 12 13:26:12 WlanDMZ 192.168.1.254:60520 192.168.1.1:53 TCP
Oct 12 13:26:12 WlanDMZ 192.168.1.254:60518 192.168.1.1:53 TCP
Oct 12 13:26:12 WlanDMZ 192.168.1.254:60516 192.168.1.1:53 TCP
Oct 12 13:26:12 WlanDMZ 192.168.1.254:60514 192.168.1.1:53 TCP
Oct 12 13:26:12 WlanDMZ 192.168.1.254:60512 192.168.1.1:53 TCPIf I click on the icon next to the blocked attempt:
@78 block drop in log quick all label "Default block all just to be sure."
My computer tries to connect to the WLanDMZ port of the soekris but is is blocked but I have a rule under WlanDMZ:
pass:
TCP/UDP WlanDMZ net * LAN address 53 (DNS) *Could this be the problem; the Cable modem is bound to the first MAC adress it finds (the Lan port of the Soekris) ? Just want to be sure but the blocked traffic to 192.168.1.1 (WlanDMZ interface)…
When I enter a static Ip (.200) and these rules (changed destination to WlanDMZ port instead of the Lan port, 192.168.1.1 is the DMZ port)
TCP/UDP WlanDMZ net * Interface IP address 53 (DNS) *
* WlanDMZ net * ! LAN net * *
this traffic gets blocked:
WlanDMZ 192.168.1.200:60993 192.168.1.255:137 UDP
Oct 12 13:42:50 WlanDMZ 192.168.1.200:51431 195.130.131.39:80 TCP
Oct 12 13:42:50 WlanDMZ 192.168.1.200:60993 192.168.1.255:137 UDP
Oct 12 13:42:50 WlanDMZ 192.168.1.200:60993 192.168.1.255:137 UDP
Oct 12 13:42:49 WlanDMZ 192.168.1.200:60991 192.168.1.255:137 UDP
Oct 12 13:42:49 WlanDMZ 192.168.1.200:60991 192.168.1.255:137Very strange...
-
What version are we looking at here? Please paste the Versioninfo including builddate from status>system.
-
I'm running 1.0-RC3
built on Mon Oct 2 01:43:47 UTC 2006I applied the 1.0-RC3a patch…
I hope it's a bug, it's driving me nuts cause I can't figure this one out... ???
thanks for helping, I appreciate it! -
Did you try to reboot? maybe the invalid broadcastadress you used mixed something up. Also upgrade b,c,d,e too. It works just fine here.
-
dhcpd: icmp_echorequest 192.168.1.254: Operation not permitted
for this you need a rule that alows icmp trafic
Proto Source Port Destination Port Gateway Description
tcp WlanDMZ any any icmp default ping rulemake sure youre rules are in the corect order
the first rule that matches wiil be caried out the rest is ignord -
Hi guys, thanks for all the suggestions, after a reboot it started working and I could surf the web immediately. There is one thing I do not understand, when I connect on the opt1 (wlanDMZ) interface I can still ping the lan network, but I have these rules, shouldn't the second rule block everything from the DMZ subnet entering the lan net?
TCP/UDP WlanDMZ net * Interface IP address 53 (DNS) * permit dns > wlan interface
* WlanDMZ net * ! LAN net * * permit DMZ to any but LAN
-
the lanipadress the opt1 ipadress are excluded from rules so that you can never lock youre self out of youre pfsense server
try pinging a pc on the lan network not the laninterface ip
-
Looks like we found a bug that under certain circumstances caused firewallrules to be not applied. This will be fixed in the next release (and is already fixed in cvs).
Maybe it is the default antilockout rule like jeroen suspects. You can disable this at system>advanced but be careful to not log yourself out from webgui completely.
Yes, this rule shouldn't permit traffic to LAN. However I usually use explicit blocks followed by a pass all for these kind of setups. If you add one more nic and want to block traffic to this subnet too you won't be able to define a rule like !LAN and !OPT2 for example.
-
Hi,
not sure if it's the anti lockout rule, I have 2 network interface in my laptop, wired and wireless,when I plug in an ethernet cable my laptop wil use this connection, but 5 minutes ago whie testing I was connected with ethernet and tried to ping a host in the LAn subnet, I guess the blocked pings over ethernet were sent again over wifi (lan subnet) so they did reach their destination, I guess the rules are OK now (screenshot)?
thank god it was just simple user errors and a reboot to fix this, it was driving me nuts.
Glad I can help my client with a pfSense firewall.
to the devs; thanks for such a wonderfull piece of software!
-
if you connect youre laptop by lan and by wireless then for 192.168.1.x ipadresses it will use the wireless connection
and for 10.0.1.x ipadresses it will use the lan connection
so to test if youre wireless rules work you need to disconect the lanconnection from youre laptop -
just installed release 1.0 and made the same setup again in a couple of minutes, works perfect here! Thanks for all the help guys!
@jeroen; are you dutch?
-
@mac ja ik ben nederlander
-
@jeroen: ik ben van van België :)
I don't want to open en new topic for this; but my firewall logs are filled with probes from my ISP, it is possible to edit the default block rules in some way?
I still want to see the blocked attempts, just want to skip al those things like
ct 16 08:51:22 WAN 81.82.201.193 224.0.0.1 IGMP
Oct 16 08:51:22 WAN 10.164.128.1 224.0.0.1 IGMP
Oct 16 08:51:22 WAN 84.194.88.1 224.0.0.1 IGMP
Oct 16 08:51:22 WAN 84.193.32.1 224.0.0.1 IGMPI tried adding a rule to block from any to 224.0.0.1 and no logging but I can't move this rule to the top. Any suggestions to keep those 224.0.0.1 entries away from my logs?
I know I can disable logging fom the default block rules, but I still want to view the blocked attempt on other ports, just the 224.0.0.1 stuff is filling my firewall logs….
-
At status>systemlogs, settings disable the default logging. Then add a block rule/block rules at WAN with a logging flag that only log the desired traffic.