Adding addtional interface

stuartc

Hey guys,

I'm having a nightmare for some reason adding an additional interface to be used as a DMZ but I dont seem to be able to ping the gateway from any attached devices.

more info:

sk0 LAN: 10.1.1.1/16
rl0 WAN: PPPoE
dc0 DMZ: 192.168.10.1/24

Rules:

allow LAN > Any *
allow DMZ > Any *
reject DNZ > LAN *

I've added no additional routes, no nats, nothing at all. This is a freshly built PFSense box
traffic from the LAN works correctly and attached machines can ping the 10.1.1.1 gateway.

I've basically attached a small hub onto the DMZ interface and given it the following interface setting:

IP: 192.168.10.17
SN: 255.255.255.0
DG: 192.168.0.1

and I can neither ping the gateway IP nor connect to any external service via IP or DNS name

When I attampt this I can see the following dropped in the firewall logs but cant work out why this isnt being matched to the DMZ to any allow rule?

I must be missing something stupid but I cant think of it - if you need any further info please let me know.

Thanks :)
Stuartc

AhnHEL

In your firewall logs you can see it blocking UDP Protocol because your rule only allows for TCP.

Change your DMZ > Any Firewall rule to allow Any or TCP/UDP under Protocol

*           DMZ Net     *           *           *     *

or

TCP/UDP     DMZ Net     *           *           *     *

Also, rules are processed top to bottom so your DMZ > Any rule is negating your reject DMZ > LAN rule.  Place your reject DMZ > LAN rule above your DMZ > Any rule. Better yet, just use the DMZ > Any rule and just select the "Not" checkbox under Destination with the Destination being the LAN subnet.

*           DMZ Net     *     ! LAN Net     *     *     DMZ > Any But LAN

stuartc

Thanks for your reply, you're right the rule wasnt addressing the UDP traffic. I've added TCP and UDP to that rule but unfortunatley still have an issue

I can now access from the LAN > WAN and OPT1 > WAN but not LAN > OPT1

I also rebuilt the PFsense box and changed the OPT1 interface to 192.168.3.1/16 as I had run out of ideas, I also swapped the OPT1 interface out encase it was an issue and connected mylaptop directly to the interface with a X-over cable just encase.

I have made a blanket allow all to any on the OPT1 rule set so it should be allowed out, I've reset the state to kill any existing connections but I am still unable to get any machine on opt1 (192.168.0.0) to contact anything on the 10.1.0.0 network

the route table seems to be ok?

Any ideas much appreciated I've been scouring the PFSense forum and google for any other suggestions as well with no joy.

Have attached screenshots


stuartc

Additional information:

I've disabled filtering for a test which as I understand it shoudl turn the box into an unrestricted router and rule out the firewall rules stopping this (I may be wrong?) and I still cant communicate from OPT1 to LAN

Does this mean it's a routing issue?

Also I've just been able to ping from LAN to OPt1 but not back?

GruensFroeschli

@stuartc:

Additional information:

I've disabled filtering for a test which as I understand it shoudl turn the box into an unrestricted router and rule out the firewall rules stopping this (I may be wrong?) and I still cant communicate from OPT1 to LAN

Does this mean it's a routing issue?

I'd rather bet on a firewall on the device you're trying to access.

@stuartc:

Also I've just been able to ping from LAN to OPt1 but not back?

You dont have a rule allowing pings from OPT1 to LAN. (ping = ICMP =/= TCP,UDP)

stuartc

Thanks for reply, I have a rule now which allows anything, from anywhere to anything on any protol in the DMZ tab and still cant ping out of OPT1 into LAN

As a test I've got a laptop on LAN that I can ping the device Im trying to ping from OPT1 and have just doible checked the windows firewall is disabled on the OPT1 laptop.

have attached new OPT1 rules screenshot - reset state and rebooted pfsense box after applying it just encase

Any input much appreciated it's got me well and truely stumped at the moment

AhnHEL

Way too many redundant rules.  Set up only one rule on your OPT interface

*    OPT Net      *    *    *    *    OPT -> Any

Leave the default LAN -> Any rule as is.

This should allow pings to go from LAN to OPT and from OPT to LAN.

If the pings are not getting through then check both firewalls on both laptops are disabled (you mentioned OPT's laptop firewall to be off but not the LAN laptop's firewall–double check)

Your initial post suggested setting up a DMZ so ultimately you dont want your DMZ/OPT to have LAN access so you will have to edit your OPT -> Any rule to look like this

*    OPT Net    *    ! LAN Net    *    *    OPT -> Any But LAN

Once this is done create your block rules one at a time and place them above your OPT -> Any But LAN rule, testing to make sure they are working properly.

stuartc

Thanks for your help, I will revise my rules and cut them down.

with the DMZ network I need to block all traffic to the lan bar a few ports for our remote access solution so it's not 100% seperated.

The LAN machines I'm attempting to ping from OPT have the firewall disabled, have just double checked (rule 1, never assume :))

So once I am able to ping through to prove connectivity I will be adding additional rules for particular traffic.

Will post back when I can access the OPT1 laptop

Eugene

Can you ping LAN machines from the firewall itself?

stuartc

I'd not actually thought of that, just tried now form the ping tool on the web gui

when the interface is set to the LAN I can ping the server on the LAN, when it's set to OPT1 I cannot ping the LAN server

Thanks fo ryoru input, I feel like I'm geting somewhere with everyones help, I fear it may have driven me to an early grave otherwise.

Eugene

Does the server on LAN have default gateway as pfSense's LAN address?

stuartc

hmmm, it would appear I've overlooked something fairly major here - I've changed a few non priority servers to use the PFsense default gateway rather then the other FW and it works fine!

Thanks for all your help everyone that would have taken me the rest of my life to find!

Eugene

so your issue is not firewalling but routing.
You not necesseraly need to change default gateway but you have to tell your server on LAN that it has to route network 192.168.10.0/24 to your pfSense.
You can add just one route on your server, from Windows cmd-window it would look like
route -p add 192.168.10.0 mask 255.255.255.0 10.1.1.1
… and leave your default non-changed.

stuartc

I know it's not ideal but if I were to add the route to the other firewall during the migration period would that route the traffic properly

so the servers currently pointed at the 10.1.1.1 gateway (old firewall) would forward 192.168.10 traffic onto PFSense?

ktims

@stuartc:

I know it's not ideal but if I were to add the route to the other firewall during the migration period would that route the traffic properly

so the servers currently pointed at the 10.1.1.1 gateway (old firewall) would forward 192.168.10 traffic onto PFSense?

Should work fine that way.

GruensFroeschli

Not sure if this is acceptable but:
You basically want to access stuff on the LAN from the OPT.
The problem is, that the server on the LAN doesnt know where to send the answer to.
If you enable NAT from OPT to LAN, then the requests appear as if from the IP of the pfSense on the LAN side.

Like this you dont need to change anything on the existing stuff.

howto: enable advanced outbound NAT under "firewall" –> "NAT".
there will be an autocreated rule for LAN-->WAN
copy this rule and change it to OPT-->LAN