Need some quick help
-
I am a very fresh user to this firewall distro and firewalling in general. So that stated here goes…
My plan for my pfSense firewall is to have a LAN, Wireless Access Point interface, and a DMZ. Im not sure how to allow access to the internet with all interfaces (unless I'm just missing something). I have three NICs and one built in NIC. Here's an overview of my setup. Its a fresh install so I know I need to modify things to make it work (which I have, I just cant seem to figure it out).
WAN -> DHCP
LAN -> 10.10.1.0/16
DMZ -> 10.10.2.0/16
WAP -> 10.10.3.0/24All the interfaces are statically assigned to ..*.254 for whatever range they belong to. Ive heard that pfSense has NAT set up to allow all the interfaces access to the internet and to each other and all I have to do is set up firewall rules. Ive tried allowing things and it never seems to work (IE allowing LAN to access DMZ so I can manage my DMZ boxes through LAN without allowing DMZ access to the LAN). So I'm not sure if i have a backwards idea of what I need to do or if I'm just crazy
Thanks
-
I don't know if it's just a typo, but your subnet mask for LAN & DMZ seems to be off:
If you are going to use consecutively numbered networks under 10.10.x.y, the netmask should be /24, i.e.
WAN -> DHCP
LAN -> 10.10.1.0/24
DMZ -> 10.10.2.0/24
WAP -> 10.10.3.0/24 -
Ah yes. Im at work so i got subnets floating around in my head.
-
As has already been pointed out, you need to change addresses OR masks or both on your interfaces so they are all in different networks. Because you have a broken configuration some things will not work. You need to fix the configuration then retest to see if you still have the same issues.
@The:
Ive heard that pfSense has NAT set up to allow all the interfaces access to the internet and to each other
No so: default configuration allows ALL access attempts FROM computers on LAN and BLOCKS all access attempts FROM computers on other interfaces.
@The:
Ive tried allowing things and it never seems to work (IE allowing LAN to access DMZ so I can manage my DMZ boxes through LAN without allowing DMZ access to the LAN). So I'm not sure if i have a backwards idea of what I need to do or if I'm just crazy
Default rules allow this. However it depends what you mean by "manage my DMZ". If that means JUST web access from LAN to DMZ it should work (after you have fixed your broken configuration). However if "manage my DMZ" means you have to allow a system on the DMZ to initiate a connection to a computer on the LAN (for example, to email a report) then you will need rule(s) on the DMZ interface to allow that particular access to LAN.
-
You need to change addresses OR masks or both on your interfaces so they are all in different networks.
Again, lots of numbers floating around and /16 came out. they are all /24 networks. 10.10.x.y
No so: default configuration allows ALL access attempts FROM computers on LAN and BLOCKS all access attempts FROM computers on other interfaces.
So all interfaces ALLOW their networks access to the internet but DO NOT allow access to each other's networks?
edit: after reading that a little slower im understanding that LAN can access everyone on the network (WAP and DMZ) but the other interfaces cannot access LAN. Please correct me if I'm wrong.
Default rules allow this. However it depends what you mean by "manage my DMZ". If that means JUST web access from LAN to DMZ it should work (after you have fixed your broken configuration). However if "manage my DMZ" means you have to allow a system on the DMZ to initiate a connection to a computer on the LAN (for example, to email a report) then you will need rule(s) on the DMZ interface to allow that particular access to LAN.
My definition of manage my DMZ is accessing the servers over SSH or RDP if i use windows later on. Same goes for my WAP interface so i can access the AP and configure it from the LAN interface.
-
@The:
No so: default configuration allows ALL access attempts FROM computers on LAN and BLOCKS all access attempts FROM computers on other interfaces.
So all interfaces ALLOW their networks access to the internet but DO NOT allow access to each other's networks?
edit: after reading that a little slower im understanding that LAN can access everyone on the network (WAP and DMZ) but the other interfaces cannot access LAN. Please correct me if I'm wrong.
Your interpretation after the slower reading is almost correct: it should read … but the other interfaces cannot access any other networks. Take a look at the hint on the Firewall -> Rules page: Everything that isn't explicitly passed is blocked by default.
@The:
My definition of manage my DMZ is accessing the servers over SSH or RDP if i use windows later on. Same goes for my WAP interface so i can access the AP and configure it from the LAN interface.
If I recall correctly, SSH servers can require some tweaking to allow access. Your AP may require some tweaking to allow management access from your LAN.
-
Your interpretation after the slower reading is almost correct: it should read … but the other interfaces cannot access any other networks. Take a look at the hint on the Firewall -> Rules page: Everything that isn't explicitly passed is blocked by default.
Thank you for the clarification. This helps IMMENSELY.
If I recall correctly, SSH servers can require some tweaking to allow access. Your AP may require some tweaking to allow management access from your LAN.
I was figuring it would be difficult to manage an AP from the WAN. SSH should go through if i can just ping the server i have on the DMZ.
-
@The:
I was figuring it would be difficult to manage an AP from the WAN.
The couple of standalone APs I have configured have had configuration options to allow management from WAN interface. It is normally recommended to connect pfSense to one of the LAN ports on a standalone AP: see http://doc.pfsense.org/index.php/Use_an_existing_wireless_router_with_pfSense
-
Some higher end AP's don't take a point from where those are configured, if you have gave those a knowledge of GW. without it http traffic doesn't know route to outside of it's own subnet.
though ssh connection is still possible to use from different lan/wan.
-
Thanks for the link. It'll come in handy for sure. Another issue. On my DMZ i have one box with IP 10.10.2.100. The Interface IP is 10.10.2.254. i can ping the box with the pfSense ping tool, but i cannot ping the box from my LAN interface and my DMZ box cannot ping the pfSense box. Im guessing the initial ping request goes out but the reply is blocked from returning. Is this correct?
-
@The:
On my DMZ i have one box with IP 10.10.2.100. The Interface IP is 10.10.2.254. i can ping the box with the pfSense ping tool, but i cannot ping the box from my LAN interface
The ping from pfSense will have a source address on the DMZ. When the server replies the reply goes back to a system on the same network.
When you ping the DMZ server the reply needs to go to a different network (the pfSense LAN network). Does the DMZ server have a suitable default gateway on its network OR a route to the pfSense LAN network?@The:
my DMZ box cannot ping the pfSense box.
As discussed earlier, this access will be blocked unless you have added a rule on the DMZ interface to allow it. The pfSense box has multiple IP addresses. Does the DMZ box have a route to get to the ping target IP address?
The Firewall log is often a useful source of trouble shooting information (See Status -> System Logs, click on the Firewall tab.) Another useful troubleshooting tool is packet capture: For both these problems packet capture can be used to see if packets arrive on a particular interface or leave a particular interface.
-
Does the DMZ server have a suitable default gateway on its network OR a route to the pfSense LAN network?
It's Gateway is the DMZ interface IP (10.10.2.254). As far as routes thats something i am not sure how to check. there are no inter-network routes in the Diagnostic -> routes table.
The firewall log does show the ICMP broadcast is being blocked. Would allowing ICMP to pass through to the LAN be a large security hole?
-
@The:
Does the DMZ server have a suitable default gateway on its network OR a route to the pfSense LAN network?
It's Gateway is the DMZ interface IP (10.10.2.254). As far as routes thats something i am not sure how to check. there are no inter-network routes in the Diagnostic -> routes table.
If the DMZ server has a valid default gateway (and that sounds valid) then it doesn't need a route.
@The:
The firewall log does show the ICMP broadcast is being blocked. Would allowing ICMP to pass through to the LAN be a large security hole?
Blocked on what interface and under what circumstances? (If the ping is initiated from LAN the the firewall should create a "temporary rule" to allow the ping responses. This is true of all "connections" not just pings.) As to whether ICMP would be a large security hole I wouldn't think so for my home network but I don't have security responsibility for your network. Perhaps you could allow it for a little while for your own testing then block it and see who complains.
-
Ok so i reset everything to default, added the DMZ interface and changed nothing in the firewall rules. still cant ping 10.10.2.100 from 10.10.1.100 on the LAN. It doesnt have any entries in the firewall logs, it just says host unreachable.
-
Host unreachable in this case probably means the link from the LAN system to pfSense is down OR the LAN system doesn't have a default gateway (hence it doesn't know where to send something destined for a system which isn't on its own network).
Does your LAN system have the correct IP address, gateway DNS server?
-
/etc/network/interfaces
iface eth0 inet static
address 10.10.2.100
network 10.10.2.0
netmask 255.255.255.0
broadcast 10.10.2.255
gateway 10.10.2.254Unless im wrong then it does have a good IP setup. Im getting a timeout. Host unreachable was my mistake.
-
-
Ill be more specific.
here is my setup
10.10.1.0\24
Internet –-> pfSense (LAN INT 10.10.1.254\24)------>LAN --------> Home PC (10.10.1.200\24)
|
DMZ INT (10.10.2.254\24)
|
|
DMZ (10.10.2.0\24)
|
Web Server (10.10.2.100\24)When i try to ping from Home PC to Web Server:
Pinging 10.10.2.100 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 10.10.2.100: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
However when i ping using the pfSense ping tool
Ping output: PING 10.10.2.100 (10.10.2.100) from 10.10.2.254: 56 data bytes 64 bytes from 10.10.2.100: icmp_seq=0 ttl=64 time=0.689 ms 64 bytes from 10.10.2.100: icmp_seq=1 ttl=64 time=0.372 ms 64 bytes from 10.10.2.100: icmp_seq=2 ttl=64 time=0.307 ms --- 10.10.2.100 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.307/0.456/0.689/0.167 ms
same story for pinging pfsense on my Home PC:
Pinging 10.10.1.254 with 32 bytes of data: Reply from 10.10.1.254: bytes=32 time<1ms TTL=64 Reply from 10.10.1.254: bytes=32 time<1ms TTL=64 Reply from 10.10.1.254: bytes=32 time<1ms TTL=64 Reply from 10.10.1.254: bytes=32 time<1ms TTL=64 Ping statistics for 10.10.1.254: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
And for pinging my Home PC from pfSense:
Ping output: PING 10.10.1.200 (10.10.1.200) from 10.10.1.254: 56 data bytes 64 bytes from 10.10.1.200: icmp_seq=0 ttl=128 time=0.446 ms 64 bytes from 10.10.1.200: icmp_seq=1 ttl=128 time=0.309 ms 64 bytes from 10.10.1.200: icmp_seq=2 ttl=128 time=0.316 ms --- 10.10.1.200 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.309/0.357/0.446/0.063 ms
I can also ping pfSense from my ubuntu Web Server
PING 10.10.2.254 (10.10.1.254) 56(84) bytes of data. 64 bytes from 10.10.2.254: icmp_req=1 ttl=64 time=0.261 ms 64 bytes from 10.10.2.254: icmp_req=2 ttl=64 time=0.209 ms
This is a base pfSense install with the default Lan -> any rule being untouched.
Insert foot in mouth
Was on static IP with no gateway. Figured it would work for some reason. Set it to DHCP and it works.