Crazy issuses getting DHCP/New interface up and running
-
My LAN subnet is 192.168.1.1/24 for PfSense. Well I created an OPT1 interface and named it (NRouter) and put it on 192.168.2.1/24 subnet, did not bridge or anything. Added OPT rule to firewall to enable traffic to pass (Here's the firewall settings) Action: Pass (Source) LAN Subnet (Destination) Any, gateway set on default, and named description NRouter Pass.
On the OPT1 interface you added a rule to pass traffic FROM the LAN subnet? Wouldn't you want to pass traffic FROM the OPT1 subnet?
$ ifconfig
sk0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=b <rxcsum,txcsum,vlan_mtu>ether 00:0c:6e:ce:03:cd
inet6 fe80::20c:6eff:fece:3cd%sk0 prefixlen 64 scopeid 0x1
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
media: Ethernet autoselect (none)
status: no carrier</rxcsum,txcsum,vlan_mtu></up,broadcast,running,promisc,simplex,multicast>No carrier indicates the interface can't see anything on the other end of the attached cable. Depending on your interfaces you MAY need a cross over cable to connect this interface to the router. (Some newer interfaces sense which wires are receive and automatically "cross over" if required. Older interfaces generally don't do this.) The LEDs around the socket generally are a good indication of connectivity.
-
My LAN subnet is 192.168.1.1/24 for PfSense. Well I created an OPT1 interface and named it (NRouter) and put it on 192.168.2.1/24 subnet, did not bridge or anything. Added OPT rule to firewall to enable traffic to pass (Here's the firewall settings) Action: Pass (Source) LAN Subnet (Destination) Any, gateway set on default, and named description NRouter Pass.
On the OPT1 interface you added a rule to pass traffic FROM the LAN subnet? Wouldn't you want to pass traffic FROM the OPT1 subnet?
$ ifconfig
sk0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=b <rxcsum,txcsum,vlan_mtu>ether 00:0c:6e:ce:03:cd
inet6 fe80::20c:6eff:fece:3cd%sk0 prefixlen 64 scopeid 0x1
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
media: Ethernet autoselect (none)
status: no carrier</rxcsum,txcsum,vlan_mtu></up,broadcast,running,promisc,simplex,multicast>No carrier indicates the interface can't see anything on the other end of the attached cable. Depending on your interfaces you MAY need a cross over cable to connect this interface to the router. (Some newer interfaces sense which wires are receive and automatically "cross over" if required. Older interfaces generally don't do this.) The LEDs around the socket generally are a good indication of connectivity.
Thanks so much for the helpful reply! I did get some progress, but not all the way. It would make since to set a firewall rule for traffic to pass through the OPT interface since DHCP is enabled on the interface. Thanks to your help, I can access my lan, but no internet. My OPT interface now states that its up and running properly with the new firewall rule. Checked all settings to ensure subnets were correct, rebooted firewall, but for some reason my firewall is still blocking my connection! Heres the error im getting under system logs >Firewall
Time If Source Destination Proto
Apr 21 21:14:07 NRouter 192.168.2.13:49952 192.168.2.10:53 UDP
Apr 21 21:37:25 NRouter 192.168.2.13:138 192.168.2.255:138Well what im not understanding is that the rule that I have set for the OPT interface under firewall rules is Action: PASS|Source: NRouter Subnet and Destination: LAN Subnet…... But my firewall is blocking a destination of 192.168.2.10 when my LAN subnet is 192.168.1.1? Makes no since to me :(
Heres so more of my settings,
OPT interface>DHCP Server> 192.168.2.11 to 192.168.2.15
Interfaces> Enabled, ip 192.168.2.10/24
Im totally stumped. Anyone got any ideas on what I can do to get this interface online?
Thanks
-
Well I got everything working, I can now access the internet and my LAN on my new subnet, modifying some firewall rules.
Under my OPT firewall rules I set source for NRouter Subnet, and destination to ANY. This fixed it. However I know theres some security issues there since its not protected by my LAN, please correct me if I am wrong. Is this safe? I just want to make sure everything is secure. Please let me know if I need to approach this firewall modification the safest way I can do it.
I hope I did everything right, but let me know if I did anything wrong to breach security!
You guys are fantastic, thanks so much!!!!!!!!!!
-
I hope I did everything right, but let me know if I did anything wrong to breach security!
You haven't specified what security you want so its impossible to say if you have broken security. For example, you might be using your current setup as a testbed for a larger configuration. Your wireless network might be "inhouse" making it safe to allow traffic between LAN and wireless network. Your wireless network might be to provide internet access to guests in which case you might want to allow access to no LAN systems or only one.
If you allow any access from OPT1 you might as well connect your router to LAN and cut the processing load on the pfSense box.
The default install configuration of pfSense is to allow internet access from LAN (since that seems to be what most people want) and block access from OPT interfaces since there isn't any obvious common case. The purpose of a firewall is to control access. Starting with a "wide open" firewall is seen as much less desirable than starting with a "closed" firewall that can be opened as required.
-
I hope I did everything right, but let me know if I did anything wrong to breach security!
You haven't specified what security you want so its impossible to say if you have broken security. For example, you might be using your current setup as a testbed for a larger configuration. Your wireless network might be "inhouse" making it safe to allow traffic between LAN and wireless network. Your wireless network might be to provide internet access to guests in which case you might want to allow access to no LAN systems or only one.
If you allow any access from OPT1 you might as well connect your router to LAN and cut the processing load on the pfSense box.
The default install configuration of pfSense is to allow internet access from LAN (since that seems to be what most people want) and block access from OPT interfaces since there isn't any obvious common case. The purpose of a firewall is to control access. Starting with a "wide open" firewall is seen as much less desirable than starting with a "closed" firewall that can be opened as required.
Thanks for the quick reply. I basically want to have my OPT interface protected by my LAN. I share my internet with a few of my neighbors and limit the bandwidth and I just want to make sure I am setting the safest firewall rules for this OPT interface. I know setting destination>ANY for OPT firewall rule is like leaving a wide open door for anyone to access, but if I try to set my interface to LAN Subnet destination, I get no internet connection, but get access to my network. So im kinda stuck. Do you know how I can have my source type to my OPT Subnet, and have my destination to access my LAN Subnet while still giving me access to the internet and my internal network when I am on my laptop? If you could please tell me how to do this, it would be much appreciated.
Thank you so much and sorry for being such a pain.
-
I'm sorry I didn't follow your explanation of what you want to do (Its not clear where your laptop will connect, perhaps OPT, and I don't know what you mean by I basically want to have my OPT interface protected by my LAN, perhaps OPT interface protected FROM my LAN). I assume what you want is:
-
Allow LAN to access the Internet.
-
Block LAN initiating connections to OPT.
-
Allow OPT to access internet, LAN and pfSense.
In summary, OPT can access everything, LAN can access everything except OPT).
To do this you should add a firewall rule to LAN: Action: Block (Source) LAN Subnet (Destination) Opt subnet.
Note that firewall rules are processed for incoming traffic on a interface and rule processing goes "down" the rule list until the incoming packet matches a rule for the interface on which the packet was received. Hence my suggested additional rule for LAN should probably be the first rule on LAN. (I don't know what rules you already have for LAN.)
After you have setup your rules you should probably reset firewall states (from web GUI, Diagnostics -> States, click on Reset states tab then click on the Reset button) then test the rules block everything you want blocked and allow everything you want allowed.
-
-
I'm sorry I didn't follow your explanation of what you want to do (Its not clear where your laptop will connect, perhaps OPT, and I don't know what you mean by I basically want to have my OPT interface protected by my LAN, perhaps OPT interface protected FROM my LAN). I assume what you want is:
-
Allow LAN to access the Internet.
-
Block LAN initiating connections to OPT.
-
Allow OPT to access internet, LAN and pfSense.
In summary, OPT can access everything, LAN can access everything except OPT).
Thanks man for all of your help. Thats still not letting me get online :( All I am planning to do is hook up a wireless router into an OPT interface, and make sure that it is secure from people using my router, and hackers. And I wanted to know the best way to go about setting up my firewall rules so they will be safe. I wish I had the option to just use my router as an AP, would make life so much easier.
If you have anymore input, please feel free to advise, thanks so much!
To do this you should add a firewall rule to LAN: Action: Block (Source) LAN Subnet (Destination) Opt subnet.
Note that firewall rules are processed for incoming traffic on a interface and rule processing goes "down" the rule list until the incoming packet matches a rule for the interface on which the packet was received. Hence my suggested additional rule for LAN should probably be the first rule on LAN. (I don't know what rules you already have for LAN.)
After you have setup your rules you should probably reset firewall states (from web GUI, Diagnostics -> States, click on Reset states tab then click on the Reset button) then test the rules block everything you want blocked and allow everything you want allowed.
-
-
Correct, I just want to use pfsense as my DHCP/DNS and use my router as an AP pretty much. I want to maintain security from hackers and people messing with my wireless, thats why I wanted to get my OPT with my LAN subnet because I know the LAN subnet is one of the most heavily locked down security features. Just dont know how to do it, going crazy :P
-
It seems of all the OPT systems you want to allow only your laptop to access the LAN. I guess that the laptop connects to the Wireless router through a wired port or as a wireless client.
Here's how I would do it (assuming you can configure the wireless router to act as a bridge):
-
Find the MAC address of the laptop.
-
Configure pfSense to assign a fixed (static) IP address to that MAC address.
-
Add following firewall rules to OPT interface before existing rules:
Action: Pass Source: Laptop IP address Destination: Any
Action: Block Source: OPT subnet Destination: LAN subnet
You should probably look elsewhere for instructions on securing your wireless router.
-
-
I don't even have the router plugged in right now. I've been plugging direct ethernet into the opt interface to try and get online. I'm working on that first though, any suggestions? I'm not hooking up
Wireless to opt untill I can get online hardwired first.Thanks for your reply and time
-
Anyone?