Set up questions
-
I need help quickly so my wife can have the internet back.
I upgraded to pfsense 2.0rc3 but did some network changing after it upgraded.
So now I can't access the internet on my LAN pc's.
my WAN is DHCP and can ping google.com successfully.
my LAN is static 192.168.26.129/28.
DHCP server is enabled on the LAN, with a range of 192.168.26.130 - 192.168.26.135
the LAN nic goes into a wireless ap, with an address of 192.168.26.136i can ping google.com via diagnostics on pfsense from LAN interface and can access web configurator from LAN pc.
but when trying to ping 192.168.26.129 from diagnostics on wireless ap or lan pc, it fails.please help!
-
I figured it out… I create a rule of:
PASS if=LAN proto=ANY src=ANY dst=ANY
I don't believe I needed this in the past, why do I need it now? I thought LAN was assumed to have access without additional rules?
-
I figured it out… I create a rule of:
PASS if=LAN proto=ANY src=ANY dst=ANY
I don't believe I needed this in the past, why do I need it now? I thought LAN was assumed to have access without additional rules?
1. Your network changing "broke something" temporarily - perhaps you changed IP addresses or network masks and your DHCP clients didn't renew their leases.
2. It did when I upgraded some months ago. -
So in your set up wallaby, do you have a rule similar to the one I created?
I feel like that just opened/exposed my LAN network a lot.
-
So in your set up wallaby, do you have a rule similar to the one I created?
Yes, but it is the Default allow LAN to any rule.
I feel like that just opened/exposed my LAN network a lot.
Firewall rules apply on the input side of an interface. Hence adding a PASS rule to the LAN interface potentially allows computers on the LAN interface to access computers that may have been blocked previously; it doesn't allow more computers to access your LAN computers.
-
I feel dumb for asking this and I really appreciate your patience with me wallabybob.
How does it not allow other computers (outside the LAN network) to see my LAN computers? If I leave the rule I made last night that basically says allow anything to pass into the LAN interface doesn't that open it up to unwanted access from the outside or is that stopped by the WAN rules and/or the pfSense logic of separating networks by interface?
Thanks again so much for your time and help!
-
I feel dumb for asking this and I really appreciate your patience with me wallabybob.
No problem. We were all beginners once.
How does it not allow other computers (outside the LAN network) to see my LAN computers? If I leave the rule I made last night that basically says allow anything to pass into the LAN interface doesn't that open it up to unwanted access from the outside or is that stopped by the WAN rules and/or the pfSense logic of separating networks by interface?
Interface firewall rules apply only on entry into the firewall on that interface.
Suppose you have a firewall with WAN, LAN and OPT1. A computer on OPT1 attempts to access a computer on LAN. If the access attempt passes the interface rules on OPT1 it goes straight through - the interface rules on LAN are not consulted.
-
Need help! I set up my server box today and have it getting an address via DHCP right now to try and solve my issue (will me static in the future).
The problem is right now pfSense can't see the box. The server is directly connected to one of my pfSense NICs. The NICs IP is 192.168.1.1/30 the DHCP range is from 192.168.1.2 to 192.168.1.2.
The server obtains the DHCP address correctly. I've added the PASS any, any, any rule on the 192.168.1.1 NIC. Still nothing.
Is there something special I need to do?
Thanks!
-
The problem is right now pfSense can't see the box. The server is directly connected to one of my pfSense NICs. The NICs IP is 192.168.1.1/30 the DHCP range is from 192.168.1.2 to 192.168.1.2.
The server obtains the DHCP address correctly. I've added the PASS any, any, any rule on the 192.168.1.1 NIC. Still nothing.
Is there something special I need to do?
How is pfSense trying to "see" the server and what response is displayed when a "see" attempt is made?
Does your pfSense box have multiple interfaces in 192.168.1.1/30?
-
Okay, let me see if I can explain a little better.
I have a OPT NIC labeled "Server", it has an address of 192.168.1.1/30. With that net the only hosts available in that range are 192.168.1.1 (in use by the NIC) and 192.168.1.2 (which is the address obtained by the server via DHCP).
Does your pfSense box have multiple interfaces in 192.168.1.1/30?
No, I do not have any interfaces with that same range.
The server is directly connected to the NIC via a crossover cable. When I say it can't see it I mean via PING. I use the diagnostics->ping from the web configurator and tell it to PING 192.168.1.2 from the "Server" interface and it responds with 3 timeouts/lost packets.
I also tried PINGING 192.168.1.1 from the server box and same result.
-
I also had a general question about firewall rules since I'm pretty sure that's what's stopping my server.
If I'm trying to BLOCK a computer based on a certain time schedule say on the OPT1 interface.
#1 I put the rule in the OPT1 interface tab correct? Not the WAN interface?
#2 When I put the rule in the OPT1 interface, do I put the computer IP as the source or the destination? If the firewall rules are only checked on packets coming INTO the interface I'd put the computer IP as the destination correct?
#3 If I'm correct on #2 when is an example of a time when the source would need to be filled in? Would that be like traffic flow from one network to another network in pfSense?I ask these for to answer the question of allowing internet only access, I would have a rule like:
PASS TCP/UDP Source:ANY Destination:ANY Port:80 to 80
Correct?
Thanks!
-
The server is directly connected to the NIC via a crossover cable. When I say it can't see it I mean via PING. I use the diagnostics->ping from the web configurator and tell it to PING 192.168.1.2 from the "Server" interface and it responds with 3 timeouts/lost packets.
The server configuration allows ping responses? Does a packet capture on the interface connected to the server show outgoing pings?
I also tried PINGING 192.168.1.1 from the server box and same result.
Have you checked the pfSense firewall log (Status -> System Logs, click on Firewall tab) to see if your ping attempt has been blocked by the firewall?
If I'm trying to BLOCK a computer based on a certain time schedule say on the OPT1 interface.
Interface firewall rules apply on entry of a particular access attempt to the firewall. Hence if you are trying to block access attempts by a computer on OPT1 you would use interface firewall rules on OPT1. If you are trying to block access attempts TO a computer on OPT1 you would specify interface firewall rules on the interface on which the access attempt arrives at the firewall.
If I'm trying to BLOCK a computer based on a certain time schedule say on the OPT1 interface.
#1 I put the rule in the OPT1 interface tab correct? Not the WAN interface?
#2 When I put the rule in the OPT1 interface, do I put the computer IP as the source or the destination? If the firewall rules are only checked on packets coming INTO the interface I'd put the computer IP as the destination correct?
#3 If I'm correct on #2 when is an example of a time when the source would need to be filled in? Would that be like traffic flow from one network to another network in pfSense?You need to be precise. Do you mean you want to block access attempts TO a computer on OPT1 or do you mean you want to block access attempts FROM a computer on OPT1? In the following answers I'll assume you mean you want to block access TO a computer on OPT1.
#1. You need firewall rules on all interfaces on which the access attempt arrives at the firewall (could be both WAN and LAN and …)
#2. In the firewall rules source means origin of the access attempt, destination means target of the access attempt.
#3. You need to consider the set of rules for the interface, not just single rules. My ISP allocates me peak and off-peak download quotas for the month. If I go over quota my speeds are dropped considerably. My son does big games downloads. I want to block HIS access to the games servers in peak times. His computer is on LAN which has the standard allow LAN to any rule. As first rule on the interface I add a BLOCK rule to LAN to block access FROM his computer TO game servers in peak times. Any access from other computers doesn't match that rule and falls into the LAN default rule allowing access.I ask these for to answer the question of allowing internet only access, I would have a rule like:
PASS TCP/UDP Source:ANY Destination:ANY Port:80 to 80
Correct?
Again, you probably need to be a bit more precise:
1. internet only access: your rule wouldn't allow POP3 or IMAP or SMTP or ssh or telnet or ping or … and you probably don't want to specify a specific source port.
2. This rule needs to be interpreted in the context of other rules on the interface. It wouldn't be needed on the LAN interface if you have the default LAN rules but something like it would be needed on OPT1 if you wanted OPT1 computers to access the internet AND that access wasn't allowed by OPT1 rules further down the rule list. -
The server configuration allows ping responses? Does a packet capture on the interface connected to the server show outgoing pings?
By this are you asking if my server responds to pings? I'm pretty sure it does because at one point I had it set up with a shared connection on my personal computer while I was setting it up and the pinging work. I guess my other definition of "see" is that the server doesn't have internet access, but I don't think it's a firewall rule since I have the any rule and a diagnostics–>ping didn't work.
Does a packet capture on the interface connected to the server show outgoing pings?
Haven't tried yet. Will try to set up packet capture and see what I can see.
Have you checked the pfSense firewall log (Status -> System Logs, click on Firewall tab) to see if your ping attempt has been blocked by the firewall?
Again, haven't tried yet, although this is difficult when I have to be in a completely different part of my house to access the server than to access my system logs and the system logs only hold the last 50 entries.
You response helped me get a better understanding of firewall rules. I understand that I wasn't very precise and I also understand looking at rules within context of all interfaces, but here's my question to clarify my understanding:
His computer is on LAN which has the standard allow LAN to any rule. As first rule on the interface I add a BLOCK rule to LAN to block access FROM his computer TO game servers in peak times. Any access from other computers doesn't match that rule and falls into the LAN default rule allowing access.
Why is it "FROM" (i.e. Source) and "TO" (i.e. Destination) on the LAN interface? I guess what I'm saying is if you're looking at when it arrives at the firewall I thought it was only coming into the LAN thus the rule doesn't make any sense, but if it's both going in and out then the rule makes sense. So instead of just doing a Destination rule to your son's computer (which would allow his attempts out to the internet, WAN), but be blocked on the way back in, you stop it from even going out the LAN, correct?
Thanks!
-
A TCP connection (say to send an email) has a special sequence to establish a connection and a special sequence to teardown a connection.
A flow is a data structure describing data transfer within a connection. It will normally have at least source IP, source port, destination IP and destination port. Thus a connection has two associated flows (because data can travel in both directions).
Simplified firewall processing - packet arrival at firewall Is there a flow for this packet?
Yes - forward the packet.
No - Is this a connection setup?
No - discard packet
Yes - Does this connection setup match an ALLOW rule for this interface?
No - discard packet
Yes - create flow for this direction of data transfer,
create flow for reverse direction of data transfer,
forward connection setupHis computer is on LAN which has the standard allow LAN to any rule. As first rule on the interface I add a BLOCK rule to LAN to block access FROM his computer TO game servers in peak times. Any access from other computers doesn't match that rule and falls into the LAN default rule allowing access.
Why is it "FROM" (i.e. Source) and "TO" (i.e. Destination) on the LAN interface? I guess what I'm saying is if you're looking at when it arrives at the firewall I thought it was only coming into the LAN thus the rule doesn't make any sense, but if it's both going in and out then the rule makes sense. So instead of just doing a Destination rule to your son's computer (which would allow his attempts out to the internet, WAN), but be blocked on the way back in, you stop it from even going out the LAN, correct?
The simplified firewall processing description says the firewall rules are consulted only on an attempt to setup a connection and if that attempt is allowed then the "back traffic" to the initiator of the connection is also allowed. The firewall rules apply to connection setup attempts. If my son wants to have a conversation with his games servers the firewall will see on the LAN interface a connection setup attempt FROM his computer TO a games server. If the firewall allows that connection attempt (and the target accepts it) then all traffic (both directions) on that connection is allowed.