Is this all possible with Pfsense?
-
I'm running 1.0-RC3
built on Mon Oct 2 01:43:47 UTC 2006I applied the 1.0-RC3a patch…
I hope it's a bug, it's driving me nuts cause I can't figure this one out... ???
thanks for helping, I appreciate it! -
Did you try to reboot? maybe the invalid broadcastadress you used mixed something up. Also upgrade b,c,d,e too. It works just fine here.
-
dhcpd: icmp_echorequest 192.168.1.254: Operation not permitted
for this you need a rule that alows icmp trafic
Proto Source Port Destination Port Gateway Description
tcp WlanDMZ any any icmp default ping rulemake sure youre rules are in the corect order
the first rule that matches wiil be caried out the rest is ignord -
Hi guys, thanks for all the suggestions, after a reboot it started working and I could surf the web immediately. There is one thing I do not understand, when I connect on the opt1 (wlanDMZ) interface I can still ping the lan network, but I have these rules, shouldn't the second rule block everything from the DMZ subnet entering the lan net?
TCP/UDP WlanDMZ net * Interface IP address 53 (DNS) * permit dns > wlan interface
* WlanDMZ net * ! LAN net * * permit DMZ to any but LAN
-
the lanipadress the opt1 ipadress are excluded from rules so that you can never lock youre self out of youre pfsense server
try pinging a pc on the lan network not the laninterface ip
-
Looks like we found a bug that under certain circumstances caused firewallrules to be not applied. This will be fixed in the next release (and is already fixed in cvs).
Maybe it is the default antilockout rule like jeroen suspects. You can disable this at system>advanced but be careful to not log yourself out from webgui completely.
Yes, this rule shouldn't permit traffic to LAN. However I usually use explicit blocks followed by a pass all for these kind of setups. If you add one more nic and want to block traffic to this subnet too you won't be able to define a rule like !LAN and !OPT2 for example.
-
Hi,
not sure if it's the anti lockout rule, I have 2 network interface in my laptop, wired and wireless,when I plug in an ethernet cable my laptop wil use this connection, but 5 minutes ago whie testing I was connected with ethernet and tried to ping a host in the LAn subnet, I guess the blocked pings over ethernet were sent again over wifi (lan subnet) so they did reach their destination, I guess the rules are OK now (screenshot)?
thank god it was just simple user errors and a reboot to fix this, it was driving me nuts.
Glad I can help my client with a pfSense firewall.
to the devs; thanks for such a wonderfull piece of software!
-
if you connect youre laptop by lan and by wireless then for 192.168.1.x ipadresses it will use the wireless connection
and for 10.0.1.x ipadresses it will use the lan connection
so to test if youre wireless rules work you need to disconect the lanconnection from youre laptop -
just installed release 1.0 and made the same setup again in a couple of minutes, works perfect here! Thanks for all the help guys!
@jeroen; are you dutch?
-
@mac ja ik ben nederlander
-
@jeroen: ik ben van van België :)
I don't want to open en new topic for this; but my firewall logs are filled with probes from my ISP, it is possible to edit the default block rules in some way?
I still want to see the blocked attempts, just want to skip al those things like
ct 16 08:51:22 WAN 81.82.201.193 224.0.0.1 IGMP
Oct 16 08:51:22 WAN 10.164.128.1 224.0.0.1 IGMP
Oct 16 08:51:22 WAN 84.194.88.1 224.0.0.1 IGMP
Oct 16 08:51:22 WAN 84.193.32.1 224.0.0.1 IGMPI tried adding a rule to block from any to 224.0.0.1 and no logging but I can't move this rule to the top. Any suggestions to keep those 224.0.0.1 entries away from my logs?
I know I can disable logging fom the default block rules, but I still want to view the blocked attempt on other ports, just the 224.0.0.1 stuff is filling my firewall logs….
-
At status>systemlogs, settings disable the default logging. Then add a block rule/block rules at WAN with a logging flag that only log the desired traffic.