PfSense RC1 i386 multiple interfaces cannot talk despite pass all rules

dunleavy

I recently upgraded my home firewall to pfSense 2.0RC1 to test functionality.  Overall the setup was quite easy and very similar to pfSense 1.2.3.  When i did this upgrade, i also decided to utilize an old Cisco 2960G switch and play around with vlan functionality as a test bed.  Making things complicated i separated my home network into 3 subnets over 2 separate interfaces using the following networks:

216.89.x.x WAN (embedded NIC) cable ISP
192.168.1.0/24 LAN (NIC 1)
192.168.10.0/24 192.168.20.0/24, 192.168.30.0/24 (NIC2)

The vlan card hands off all vlan traffic to the 2960G via a trunk port.  When i plug a computer into the switch i do in fact receive the proper address depending on the port / vlan they are assigned.

My goal is to restrict access from the wireless vlan (.30.x) so only one host, my Arch laptop, can access the LAN network where i house my virtual machines and servers and allow the server vlan to access all hosts on the wireless vlan and printing.  For starters, on the WVLAN interface and the LAN interface i have enabled default pass all rules going out.

• LAN subnet   *    *   *   *
• WVLAN subnet  *    *   *  *

My first test consisted of my desktop 192.168.1.10 trying to ping the laptop 192.168.30.200.  This succeeded, echo replies came in right away.  Then i tried accessing my Western Digital NAS device via it's IP 192.168.30.3.  This could not resolve via web, and a ping did not return replies back to the LAN (192.168.1.10).  I turned on logging by default and the packets were shown as passed from Source LAN –---> Destination WVLAN.  I also saw the NAS device traffic being passed back to the desktop.  I tried a similar test with the wireless printer and could not reach it's web configuration page.

It is my understanding that the default LAN and WVLAN to any rules should allow communication between these subnets, and then i can restrict access via block rules.  Not sure why my rules will not allow inter vlan communication, unless it's due to LAN not being on the VLAN NIC.

Sorry for my rambling, hopefully this is clear if not i can try to upload some screen shots and diagrams tonight after work. I edited my document to include the system logs as an attachment.  The logs show traffic going from LAN (192.168.1.5) to WVLAN port 22, as well as WVLAN 192.168.30.3 (nas device) back to the LAN computer.  However, the lan computer receives a connection time out.

cmb

You're seeing and blocking the same SYN on LAN and WVLAN, you have those networks interconnected where they shouldn't be, or something else not right causing you to see that. Most likely the switch config.

dunleavy

Hm, I'll try removing the Cisco 2960G and assigning the interface OPT1 to a single subnet rather than using the VLAN functionality.  If that works, i'll take a second look at configuring the 2960G as it was a switch for testing, i very well could have messed up the configuration.  The switch only has a single port being used any how for testing VLANs.

Thanks for giving me an idea of where to look.

dunleavy

After removing the Cisco 2960g switch I was still unable to properly connect to printers or web based NAS devices over the Opt interface.  Then I happened upon another thread on Google, and it turns out it was my Captive Portal running on WVLAN subnet that would not allow my NAS or Printers to talk back.  After adding their MAC addresses to the pass thru list, I can now reach everything and configure the proper block rules to lock down the network.

Can someone please mark this thread resolved?

Metu69salemi

Edit your first post subject