How to allow only one computer from LAN to OPT interface

timthetortoise

Going from your LAN rules, you should be able to access your OPT network simply from

IPv4 *    LAN net    *    *    *    *    none         Default allow LAN to any rule 

How are you testing whether you are able to access it? The rule

allow IPv4+6 TCP/UDP    HOTSPOT net    *    LAN net    *    *    none         Allow LAN to HOTSPOT

in your OPT1 interface should not be in there if you want to block OPT1 traffic to LAN. Remember that firewall rules apply to incoming packets unless it's a floating outgoing rule. As it is set up now, the firewall should be passing traffic from LAN to OPT1, and vice versa. You likely have a problem elsewhere, most likely in either your testing methodology or your routing.

sujyo1

Thanks for reply timthetortoise.

''Going from your LAN rules, you should be able to access your OPT network''
That's the problem… I am able to go on 10.10.10.1 form LAN (desktop), but some how I can't access to my access point (10.10.10.4 access point IP) from LAN. There are no other rules there...

'' in your OPT1 interface should not be in there if you want to block OPT1 traffic to LAN ''
yes I want to block OPT1 to LAN.

'' You likely have a problem elsewhere, most likely in either your testing methodology or your routing ''
I am testing https://10.10.10.4 in browser to log in to my access point. also try http://10.10.10.4 but no luck
If I use https://10.10.10.1 then pfsense log in page show up.

If you need other info please let me know...Thanks

timthetortoise

Is your default gateway set on the access point?

sujyo1

''Is your default gateway set on the access point?''

Here is my set up…

ISP (cable)

---

Cisco modem+router(DPC3825 DOCSIS 3.0 Wireless) set wire less off & dhcp enable 192.168.0.1

---

pfsense box WAN set to auto ip

---

LAN 192.168.1.1/24 connected to netgear managed 8 port gigabit switch GS108T-v2 for all hardwire 2 computers, dvr, tv

---

OPt1 10.10.10.1/24 captive portal enable connected to netgear gigabit switch GS108 for all wireless 4 engenius access points ECB600 set to static ip 10.10.10.2,3,4,5

---

pfsense packages installed

Cron Services Available: 0.1.8 Installed: 0.1.7

iperf Network Management 2.0.5

pfBlocker Firewall 1.0.2

Sarg Network Report  Installed: 2.3.6 pkg v.0.6.3

squid  Network 2.7.9 pkg v.4.3.3

Thanks…

timthetortoise

Again, what is the default gateway on your access points? If it's not 10.10.10.1, they will not be able to communicate with your 192.168.1.x network.

sujyo1

''Again, what is the default gateway on your access points? If it's not 10.10.10.1, they will not be able to communicate with your 192.168.1.x network.''

YES all access point's default gateway is set to 10.10.10.1

access point set up

IP: 10.10.10.2
DHCP: disable
subnet: 255.255.255.0
default gateway: 10.10.10.1
dns: 10.10.10.1

thanks…

sujyo1

I am able to login into pfsense box from my desktop if i type https://10.10.10.1
I am able to ping access point 10.10.10.4 form my desk top !! but can't login in to access point!!

l3lu3

When you try to browse to 10.10.10.4 what is the error given? Timeout? Rejected?

sujyo1

Using Chrome

Oops! Google Chrome could not connect to 10.10.10.4

Try reloading: 10.­10.­10.­4

Using IE

This page can't be displayed

•Make sure the web address http://10.10.10.4 is correct.
•Look for the page with your search engine.
•Refresh the page in a few minutes.

Fix connection problems

sujyo1

Pfsense box LAN interface is set to https
OPT1 interface is set to https but on OPT1 interface the Captive Portal is set to http.

Is this set up can cause this problem??

sujyo1

Please….any pf guru help me on this issue this is real headache for me. trying since 3 days!
I remove all rules just keep the basic rules then restart box still can't log in in to access point!!!

timthetortoise

Download nmap and do a port scan of the access point. Make sure HTTPS is actually showing up. If it's not, but other ports are and/or you can ping it without any special rules, you've got a problem not related to pfSense.

sujyo1

Thanks for reply…run scan interface-any, scan method-tcp, (can't run scan method-SYN)
also I set LAN & OPT1 both to http

Running: /usr/local/bin/nmap  -sT '10.9.88.2'

Starting Nmap 6.25 ( http://nmap.org ) at 2013-11-12 14:50 CST
Nmap scan report for 10.9.88.2
Host is up (0.0037s latency).
Not shown: 998 closed ports
PORT  STATE SERVICE
23/tcp open  telnet
80/tcp open  http
MAC Address: xx:xx:xx:xx:xx:xx(Senao International Co.)

Nmap done: 1 IP address (1 host up) scanned in 1.32 seconds

timthetortoise

So since port 443 isn't open, why would you be able to connect to HTTPS? Try to connect to http://10.10.10.4

sujyo1

Thanks for reply…

Finally I have found the answer...my captive portal was the problem... so I just allow(pass through) my desktop's mac & adress in to captive portal setting and done...Thank you guys for your help

timthetortoise

Unless you have settings on your client machine that you're not revealing, don't know what to tell you. Good luck with it.

sujyo1

Thanks for quick reply timthetortoise…

Finally I have found the answer...my captive portal was the problem... so I just allow(pass through) my desktop's mac & adress in to captive portal setting and done...Thank you for your help