Firewall blocks Nexus 7 in LAN

mrsunfire · Aug 31, 2013, 9:01 PM

Hi!

I'm using my Nexus 7 in LAN, connected via WLAN. If I want to upload files from a PC in LAN using app AirDroid, I also get some errors on firewall logs, see below.
Normaly, every access from LAN to LAN should be allowed. If I check "Easy rule: pass this traffic" it still won't work and show me an other source port.
If I'm using the Server who provides my WLAN access point, I can upload everything. Reading from N7 via AirDroid also is working.

Whats the problem? What can I do, to allow all that traffic?

EDIT:

I forgot. I'm routing from my LAN net (192.168.1.0/24) into the WLAN network (192.168.0.0/24 via the server in LAN (192.168.1.10)

1 <1 ms <1 ms <1 ms pfsense.net [192.168.1.1]
2 <1 ms <1 ms <1 ms Server.net [192.168.1.10]
3 42 ms 5 ms 3 ms tablet.net [192.168.0.9]

kathampy · Sep 2, 2013, 5:06 AM

If you're routing between LAN and WLAN using something other (192.168.1.10) than the default gateway (192.168.1.1) then you need either:

1. Static routes on the clients on both LAN and WLAN to each other via 192.168.1.10.

OR

2. Static routes on the default gateways of LAN and WLAN to each other via 192.168.1.10.

If you're using #2, you need appropriate firewall rules on the default gateways. In either case this is bad architecture and you should just use pfSense to route between LAN and WLAN and use pfSense as the default gateway for both.

mrsunfire · Sep 2, 2013, 9:43 AM

Hm yes, I've setup a second gateway (192.168.1.10)
Maybe I'm blind, but where can I set static routes in pfsense? I don't want to setup them on the clients. Just share the DNS server (pfsense) via DHCP to the clients.

kathampy · Sep 2, 2013, 9:46 AM

You can also send the default gateway and additional static routes to clients using DHCP option 121. If you have two gateways, do this to prevent unnecessary load on pfSense. You must mention the default gateway in addition to any static routes in DHCP option 121.

Better yet, stop using a separate gateway and use pfSense as a router.

mrsunfire · Sep 2, 2013, 11:24 AM

I know, but the problem is I need the Gateway 192.168.1.10 cause on this server is my access point for private WLAN. So only he knows the clients of his WLAN.

Its like this:

WLAN –-----------------------Server --------- pfSense ------------ LAN Clients
192.168.0.0/24 192.168.1.10 192.168.1.1 192.168.1.0/24

kathampy · Sep 2, 2013, 11:28 AM

Just plug the access point into another interface on pfSense if you really want it on a separate ethernet network.

mrsunfire · Sep 2, 2013, 11:49 AM

This might be an idea. But what will it change? The server is the access point, but a server also for http and so on. So I would also need him as gateway becouse pfsense dont know about the WLAN net.
Dont forget, all other WLAN devices works fine. Its only with the nexus and while uploading files to it with airdroid app.
What does the firewall blocks say to you? For me there is no reason to block.

kathampy · Sep 2, 2013, 11:51 AM

pfSense will know when you plug the AP into another interface and give it an IP address of 192.168.0.1/24. Then plug the private interface of the server into the AP as well.

Android follows network spec more strictly than others (e.g. it breaks if you don't include the default gateway in DHCP option 121). It will break if you setup is invalid, which it is.

mrsunfire · Sep 2, 2013, 11:51 AM

I cant, couse AP uses the connection from server and dont has an own one. Pls read the edit of my previous post.

kathampy · Sep 2, 2013, 11:52 AM

What kind of access point is it?

mrsunfire · Sep 2, 2013, 11:54 AM

A asus pci-e wlan network card. If Im right its the PCE-N53.

kathampy · Sep 2, 2013, 11:55 AM

Plug the AP, server's private interface and a new pfSense interface into a switch. Plug the server's LAN interface, pfSense's LAN interface and LAN clients into another switch. That is all. Use pfSense as the default gateway for everything.

kathampy · Sep 2, 2013, 11:56 AM

@mrsunfire:

A asus pci-e wlan network card. If Im right its the PCE-N53.

Then just plug it into pfSense. Problem solved. You don't need to do anything else other than create firewall rules for the private WLAN.

kathampy · Sep 2, 2013, 11:58 AM

You could also enable vLANs on the server and trunk the AP and LAN it to pfSense on separate LAN and WLAN interfaces over the single LAN cable.

mrsunfire · Sep 2, 2013, 11:59 AM

I cant. The network card dont has an own network connection. Its usung the connection from the server to pfsense. Thats why I have an other network. Maybe I should buy a network card with RJ45 connection.
Dont know if vLan would work on a Windows XP machine.

kathampy · Sep 2, 2013, 12:01 PM

See my 2nd last post. Plug the wireless card directly into pfSense.

mrsunfire · Sep 2, 2013, 12:05 PM

How, without an ethernetconnection? The card only has PCI-E.
http://www.asus.com/Networking/PCEN53/

kathampy · Sep 2, 2013, 12:07 PM

Plug the card into pfSense and remove it from the server!

mrsunfire · Sep 2, 2013, 12:09 PM

Ah lol ok, I understood ;). I don't prefere that, becouse there is already my public WLAN (Hotspot) and not enough space.
Maybe it's an idea to install a second networkcard in the server and connect it with pfsense, and bridge that to the WLAN card?!