I need help with the firewall and rules with multiple LAN's
-
I put these rules in and it did not work >:( (and yes I hit apply after making the changes)
Just to make sure here are the screen shots
One thing I did appear to have wrong was how the rules were processed. I did understand the top down concept, but I though that a lower rule would over-ride a previous rule
so in the rules given earlier, where an allow was given for port 3389 and then a subsequent rule blocked all ports, I assumed that the latter rule had precedence, and in fact it is the other way around, preceding rules have precedence.
Since this does not appear to be working for me, is there by any chance something else wrong elsewhere in the system?
The box (pfsense) can ping the PC on LAN2
Thanks and the help is appreciated
Mick
EDIT - I realised on the way to work this morning that the PC on the LAN was not using the pfsense box as the gateway, but rather the router as a gateway. The router has a static route to the pfsense box, so in theory it should work, but I will point the PC to the pfsense box and try again.
-
So it turns out is was the gateway but…
I removed the rule for port 3389 and now have two rules under LAN
Deny * LAN net * LAN2 net * *
Allow * LAN net * * * *and I can still get a RDP connection - why? All protocols and ports are blocked to LAN2
I can also do file sharing!!!
Why when the deny rule is first
-
Did you clear the states after deleting the allow rule?
You dont happen to have Advanced outbound NAT enabled, do you?
-
I assume by clearing the states you mean resetting states - no I did not know about that
Yes, Automatic (not Advanced) outbound NAT is enabled.
Should manual outbound NAT be enabled? What about the rules for NAT, where can I find more on that
-
If you are on automatic everything should be ok.
Some people have problems when they enable manual NAT and forget about it.If you're testing if a firewall rule is effective, you should always clear the state table first.
Otherwise it might well be that there is still an entry in the table and you use this entry which was created before the rule was in place. -
Excellent, I am starting to get somewhere now thanks to the good people here
Another questions on a rule
I have got the ports open to LAN2 that I want and it is working fine but I am trying to lock down the connection to the internet
My first attempt was this
Allow TCP LAN net * WAN address 80 (HTTP) *and it did not work.
Changed it to
Allow TCP LAN net * * 80 (HTTP) *and it worked.
Why would specifying the WAN port fail, yet work for any destination?
-
If you specify "WAN address" you allow only connections to the address of the WAN.
WAN address means exactly that.
It doesnt mean: "traffic going out the WAN". -
Thanks - I will think about this overnight
"If you specify "WAN address" you allow only connections to the address of the WAN."
I understand this statement, and I think then it should have worked. I put in a URL in the web browser and it should have only allowed a connection through the WAN, yet it did not connect and download the web page.
or
does this mean that if the WAN address is say 10.0.0.0 (from WAN NIC to modem), then it only allows access to 10.0.0.0
I think it may be the latter
-
Thanks - I will think about this overnight
"If you specify "WAN address" you allow only connections to the address of the WAN."
I understand this statement, and I think then it should have worked. I put in a URL in the web browser and it should have only allowed a connection through the WAN, yet it did not connect and download the web page.
or
does this mean that if the WAN address is say 10.0.0.0 (from WAN NIC to modem), then it only allows access to 10.0.0.0
I think it may be the latter
NOT through.
TOSo yes it means the latter.
-
Dang - I thought I had the hang of this
I have two rules only in both LAN1 and LAN2
LAN2 Rules
Allow TCP LAN2 net * LAN net 8080 *
Deny * LAN2 net * LAN net * *First to allow LAN2 to a web server on LAN on port 8080, the second to block all the rest and this works fine
LAN1 Rules
Allow TCP LAN1 net * LAN net 8080 *
Deny * LAN1 net * LAN net * *Same rules as LAN2, but for LAN1 and this does not work. LAN2 can see the web server on port 8080, LAN1 can not.
Whay is it so?