Clean Install with pfsense 2.0 using transparent firewall
-
@wallabybob
You went way back…. with the quote reply
WAN card is not at DOWN state since I follow the instructions for the transparent firewall
I said public network, maybe I misused the word "public". I know this address 10.xxx.xxx.xxx are private, but we are using this range in the government (public) buildings
I have attached the start page in order to understand.
Now the only cable that is connected is the one at LAN card, but I have followed the instructions in order to setup the transparent firewall.
Hope I made my self clear and sorry for any language mistakes, my native language is Greek.
Waiting for an answer.
-
I said public network, maybe I misused the word "public". I know this address 10.xxx.xxx.xxx are private, but we are using this range in the government (public) buildings
It is important to get public/private distinction clear when it comes to deciding how to set the per-interface settings of Block private networks (e.g. Interfaces -> LAN, scroll down to private networks). I presume you have it unchecked. But can you explain why the firewall is blocking the LAN traffic shown in the screen capture of the previous reply?
Hope I made my self clear and sorry for any language mistakes, my native language is Greek.
Your english is way better than my Greek :)
-
I assume it was this guide that you followed?
http://pfsense.trendchiller.com/transparent_firewall.pdfLooking at your screen grab I see that your firewall is blocking traffic on LAN all of which is coming from a different subnet. If you have only the default LAN allow rule you will have to edit it or add more rules to allow traffic from a different subnet.
What is working at the moment?
Steve
-
at the moment because we are depending 100% from the web I can't do any tests
But last night (now it's morning time) when I plugin the pfsense box, NOTHING pass through, all the internet activity was blocked. But from my pc when I ping the router(gateway) at 10.169.92.1 it reply back, but when I enter a url address at the browser, the page is not loading. Also the network icon (Win7) it has a yellow triangle, no internet connection.
Probably some firewall rules block everything.
First I need to allow everything in order to work, and then I could start blocking.
When I check at the logs everything is blocked.
The action that triggered the block action is
1. @1 scrub in on xl0 all fragment reassemble
2. @1 block drop in log all label "Default deny rule"
Which is the default deny rule that applies always?
I am attaching 2 images from the rules at WAN and LAN card. One I added my self from the logs
-
Please try disabling the 2 blocking rules.
-
@Cry:
Please try disabling the 2 blocking rules.
Do those blocking rules come from enabling Block private networks on the corresponding interface?
-
@CryHavok which 2 blocking do I have to disable?
@wallabybob block private networks is Disable on both LAN and WAN interfaces, because my network is 10.xxx.xxx.xxx, but block bogon networks is Enable.
thanks for the help people. My organization, if the firewall works, will not spend 8.500 euro for a firewall appliance. -
You only have 2 blocking rules - the ones with the red boxes next to them.
-
If you're having bogon network both sides, isn't that against block bogon rules like Cry Havok is trying to say. ???
-
Recently I read news that all IPv4 addresses had been allocated to regional NICs. That would seem to mean that there are no bogon networks. This suggests that "block bogon networks" might be in untested territory. (I'm not familiar with the internals of the firewall. In a firewall rule "empty set" might have the same representation as "don't care" which, in the displayed rules, would end up blocking everything.)
I suggest you also disable the Block bogon networks and see what happens to your firewall rules, traffic and firewall logs. You will probably also need to reset the firewall states to make sure the rule changes take effect.
-
The (as tracked by Team Cymru) bogon list still contains a number of IP ranges, so it isn't empty:
0.0.0.0 255.0.0.0
10.0.0.0 255.0.0.0
127.0.0.0 255.0.0.0
169.254.0.0 255.255.0.0
172.16.0.0 255.240.0.0
192.0.0.0 255.255.255.0
192.0.2.0 255.255.255.0
192.168.0.0 255.255.0.0
198.18.0.0 255.254.0.0
198.51.100.0 255.255.255.0
203.0.113.0 255.255.255.0
224.0.0.0 224.0.0.0 -
Interesting. Seems bogon is not well defined. Wikipedia says (in http://en.wikipedia.org/wiki/Bogon_filtering) Bogons are not the same as reserved private address ranges, such as 10.x.x.x and 192.168.x.x, which are reserved for private networks.[1]).
How does pfSense define bogons?
-
I disable all the bogon options and decided to do a reboot. :P
The system rebooted I see the logon screen but I can't connect to pfsense machine, neither from the pfsense machine I can ping the router or any other ip on my network.
Any ideas??ps I did all the obvious checks, for cable, if the port is ok, if the switch port is ok, if the switch is ok, the lan card has both lights amber is on and green is flashing.
-
Have you acted on this observation:
@stephenw10:Looking at your screen grab I see that your firewall is blocking traffic on LAN all of which is coming from a different subnet. If you have only the default LAN allow rule you will have to edit it or add more rules to allow traffic from a different subnet.
Start with the simplest configuration: can you connect to the web GUI from a machine on the same subnet as your LAN interface? If not, how are you trying to connect? (ssh?, http? ping? etc) What response do you get? (timeout? no route to host? etc) Can you connect (by ssh, ping, telnet etc) from the pfSense console to a machine on the same subnet as your LAN interface?
Does it make a difference if you specify the target of the connect attempt by IP address rather than name (or name rather than IP address)?
In short, a bit more information about what you trying to do and where you are trying to do it would help those attempting to help you solve the problem. The information about cables and NIC lights was useful.
-
The problem is when I define a static IP at the WAN interface, when I reboot I can't access the web GUI, neither with ssh. From the machine I can't ping anything.
BUT when I change the static WAN IP to dynamic everything is OK
Still I haven't moved the machine to it's place so is not connected with the router -
If this is a transparent firewall, why are you assigning IP addresses to the LAN and WAN interfaces? A transparent firewall doesn't have IP addresses on it's LAN or WAN.
-
@Cry:
If this is a transparent firewall, why are you assigning IP addresses to the LAN and WAN interfaces? A transparent firewall doesn't have IP addresses on it's LAN or WAN.
Yes this is going to work as a transparent firewall…
Do you mean that I don't have to set up an IP on LAN neither WAN? and I am going to access the web gui? -
Traditionally through a third interface.
-
Am I going to assign a DHCP type of connection at both LAN and WAN?
Can you be more specific about what is need to be done? -
The traditional method of managing a transparent firewall is to have 3 interfaces. Two are used for the transparent firewall, neither have IP addresses. The third is used for management and has an IP address.
I haven't done this with 2.0 so can't say for certain that this is how you have to manage 2.0 in transparent mode.
It would probably be sensible at this point for you to complete your testing using a virtual environment. Then you don't have to keep interrupting the network traffic to find out if your latest change has worked.
