Wan - lan - opt1 and problems …

dbx655

@wallabybob:

Did you notice there were 23 "in" errors on em1 (OPT1) and the received packet count was 0. What is destroying the incoming packets? This has to be fixed before you will be able to get much further.

Yes, I did, I think it is because I unplugged couple times the eth cable from nic since dhcp was failing to assign an ip to the clients on LAN2.

If I can get some help, I want to first confirm my setup mentioned before is correct. (for the Interface assign, and dhcp setting related to it)

INTERFACES / OPT1

TYPE STATIC
192.168.10.1/24

SERVICES / DHCP FOR OPT1

Subnet         192.168.10.0
Subnet mask 255.255.255.0
Available range 192.168.10.0 - 192.168.10.255
Range                192.168.10.10 - 192.168.10.20

as for the rules I have only one for now

Proto Source Port Destination Port Gateway Schedule

• LAN2 net * *         * *

When I create opt1 and enable dhcp on it to static with ip 192.168.10.1 I can ping that gateway from 192.168.0.0 subnet

Also some more info on dhcp logs

Jan  7 23:22:16 pfsense dhcpd: Listening on BPF/em1/00:02:a5:4e:XX:XX/192.168.10/24
Jan  7 23:22:16 pfsense dhcpd: Sending on  BPF/em1/00:02:a5:4e:XX:XX/192.168.10/24
Jan  7 23:22:16 pfsense dhcpd: Listening on BPF/em0/00:02:a5:4e:XX:XX/192.168.0/24
Jan  7 23:22:16 pfsense dhcpd: Sending on  BPF/em0/00:02:a5:4e:XX:0XX/192.168.0/24
Jan  7 23:22:16 pfsense dhcpd: Sending on  Socket/fallback/fallback-net

I think it should be VERY easy task but why? why me  ???

wallabybob

I don't know enough details about what you have done but on the evidence I would suspect a problem with incoming frames on the OPT1 interface.

I would configure a system connected to OPT1 with a static IP address in the OPT1 subnet range and then verify that when I ping that system from the pfSense console I get a ping response and when I ping the pfSense OPT1 interface IP address from the OPT1 system with fixed IP address I get a ping response.

I can't see any problem with your OPT1 configuration other than the firewall rule issue I pointed out previously.

dbx655

I am practicing it on VM, on VM there is no problems with different subnets, I will check my cables. switch etc, one by one

now I need help with a firewall rule, what I am trying to achieve

LAN = can see (rdp, ping, windows shares etc) OPT1 and internet connection
OPT1 = cannot see LAN subnet and internet connection,

Thank you in advance.,

wallabybob

@dbx655:

I am practicing it on VM, on VM there is no problems with different subnets, I will check my cables. switch etc, one by one

You got your desired configuration working on a VM environment?

@dbx655:

now I need help with a firewall rule, what I am trying to achieve

LAN = can see (rdp, ping, windows shares etc) OPT1 and internet connection
OPT1 = cannot see LAN subnet and internet connection,

Firewall rules apply on input side to the firewall. Firewall rules are processed in order until a match is seen.

Default configuration gives what you ask for LAN. I'm not sure if I should read your OPT1 requirements as "cannot access LAN and cannot access internet" or as "can access Internet and cannot access LAN". The latter is probably more useful so, Firewall rules on OPT1:
Rule 1: BLOCK anything to LAN subnet
Rule 2: Allow anything to anwhere
I'd turn on logging on Rule 1 so you can more readily verify it does what you want.

dbx655

Yes, In VM things are better than cold basement :) Ok, with those tips I almost configured my pcs in VM (but both network adapters manually configured) 192.168.10.1/192.168.20.1

I achieved almost all I wanted. Except this,

I cannot explore OPT1 from LAN in windows (network computers), but from LAN (in same machine) I can rdp and ping into OPT1 machine and ping both gateways. My firewall rules are :

LAN
default rule plus udp 67-68

OPT1
the rules that you asked me to add in their order

How can I see OPT1 machines from LAN computers' shares in windows??

Thanks

wallabybob

I suspect windows network browsing might be limited to the "local" subnet due to the protocol mechanisms involved (subnet broadcasting? or LAN multicasting by MAC address?).

However it is still possible to browse a known computer in another subnet by specifying it by name or ip address, e.g. in Windows Explorer: _\winhost_ or _\192.168.20.56_.

dbx655

I know that, but for some reason it doesn't work, again I can ping, rdp etc but cannot browse shares. Maybe some other specific ports to open ?

wallabybob

Works for me:  I have Linux system with Samba on OPT3, a few Win2k systems on LAN and all the Win2k systems can see the Samba shares on the Linux system on OPT3.

OPT3 has rule pass anything to everywhere. I expect a more restrictive rule set would suffice.

I suggest you check your firewall log. It would probably give some hints about ports to LAN that might need to be opened on your OPT1.

dbx655

maybe the block rule towards LAN? because for me OPT1 will be one way network, I don't know how it works but we open the door to OPT1 but OPT1 has to send something back to LAN? and because of the block back to LAN I cannot see the shares but than how come ping and rdp works, on wm test systems are xps, on real network two systems are server 2003s. I really don't know what to do. Also since couple days I experience pppoe drop on wan port.

wallabybob

When the firewall allows a connect through it also constructs a temporary rule specific to that connection, to allow the back traffic.

I don't know the details of how windows explorer discovers the shares. Its possible the server attempts to create a new connection (or more) back to the client. These new connections would be blocked by the rule I suggested.
If you have logging on the OPT1 rule then any attempt by the Windows server to establish a "back connection" to the LAN should appear in the firewall log and the information logged will allow you to add firewall rules to allow these back connections.

But I don't recall reading a description of the security policy for OPT1; you might want something much more relaxed.