Unable to block traffic from and to opt1 from lan

mikenl · Apr 24, 2008, 2:40 PM

Okay, for some reason i can connect from my lan to the opt1 interface.
This was allways blocked by a rule in the firewall.
Even when i put up a rule in the opt1 to block any source, destination and protocol, i can still reach both interfaces both ways.
One thing i changed is i'm using the new trafficshaper.
Anyone any suggestions where i can start to find the problem ?

Perry · Apr 24, 2008, 2:48 PM

You got the flow of traffic wrong. So if you want to block traffic from lan to opt1 the rule shall be applied on the Lan rule

lan net * !opt1 net * * default lan -> any

mikenl · Apr 24, 2008, 3:03 PM

Maybe i wasn't clear enough but basicly i want to block traffic from the opt1 interface to the lan interface.

For testing i put this rule in opt1, it's the only rule.

rule is block
Proto Source Port Destination Port Gateway Queue Schedule Description

* * * * * none

With this rule in place nothing is blocked, i can still reach the lan net from the opt1 net.

GruensFroeschli · Apr 24, 2008, 3:04 PM

Try to remove all rules you have on the interface.
If there are no rules, nothing will be allowed (there is an invisible block everything rule)

hoba · Apr 24, 2008, 3:25 PM

Don't forget to reset states when testing a new ruleset and it appears to not work (diagnostics>states, reset states).

mikenl · Apr 25, 2008, 8:03 AM

Hmm,
I'm also running a captive portal on the same interface, that still works.
I did remove all rules and still i have access to anything once i'm logged in ?!

mikenl · May 6, 2008, 9:11 AM

anyone any idea to help me diagnose this problem ?

mikenl · Jun 26, 2008, 12:26 PM

I did a complete new install on different hardware, so started from scratch.
Now again i'm facing the same problem, even with all rules deleted i still have access to the lan subnet from the opt1 interface. A tracert from a client on the opt1 interface shows that it goes trough the pfsense box.
On the other hand with all rules deleted, on the lan side i can't get nowhere.

mikenl · Jun 29, 2008, 9:53 AM

After some experimenting on vmware i found out the problem.
When using the 1.2 version of 26 feb there is no problem and everything works as expected.
However when using the 1.2 version of 23 Apr with the bountyshaper, the firewall rules on opt1 have no effect.