Outbound traffic question

xatef

I appreciate it if anyone can help me with this.

I installed pfsense and I can't seem to make it block outbound traffic no matter what. I disabled all default Lan rules:  (default allow LAN to any rule ) + ( default allow LAN IPV6 to any rule) except the Anti-Lockout rule.
everything else is in default state.
now when I try to ping from pfsense's LAN to 8.8.4.4 (google's dns ) or from a pc that is on the same switch as pfsense's Lan NIC, I get a reply….
I don't understand why it is able to communicate out ???

pfsense :
-LAN: 192.168.11.58
-Wan: 172.168.0.2    (gw : 172.16.0.1)

this is how it is connected :
---Computer[192.168.11.1]–---switch------[Lan      pfsense    wan]–-----[Lan      Cisco router          Wan]–------------ISP---

thanks in advance for any suggestion or comment.

johnpoz

And you sure your PC on this 192.168.11.0/24 is pointing to pfsense as its gateway?  Or is using a different path?

You show a switch there -you sure pc is not directly talking to cisco router, does this cisco router have a connection to that switch?

What is the config on your pc?

what your saying if correct is the pfsense is routing and nat? but not doing any firewall rules?  Did you disable the firewall?  Do you have any rules on your floating tab?

xatef

the pc has the ip address of pfsens lan interface as its gateway.
no secondary path from the switch to the router.  I will attach a diagram.
Im NATing twice ( in pfsense ) and also on the cisco router
No floating rule
I didnt disable the firewall. I done a test where I ping from the router to 172.16.0.2 and I it gets stopped by pfsense rules (when removing the rule I get ping to pass).

The bottom attachment is the correct one. I made a mistake in the top one.

xatef

capture of my config (again)

Traceroute from the pc shows :

1 - 192.168.11.58
2 - 172.16.0.1
3 - IP address of my ISP's gateway
…
destination

johnpoz

what does your state table show?  Clear it when you change rules.

Here is how it should work, rule allows – see ping work, disable rule that allows and ping no work..

you should see your default block rule do a

pfctl -sa

From the prompt/ssh the drops are there first thing in the rules.  Its a large output, you might have to pipe it to more or something to stop the listing.

FILTER RULES:
scrub from any to <vpn_networks>max-mss 1400 fragment reassemble
scrub on vmx3f0 all fragment reassemble
scrub on vmx3f1 all fragment reassemble
scrub on vmx3f2 all fragment reassemble
scrub on vmx3f3 all fragment reassemble
anchor "relayd/" all
anchor "openvpn/" all
anchor "ipsec/*" all
block drop in log inet all label "Default deny rule IPv4"
block drop out log inet all label "Default deny rule IPv4"
block drop in log inet6 all label "Default deny rule IPv6"
block drop out log inet6 all label "Default deny rule IPv6"

What do you have that nat in there for?  Nat overload?  Your set to automatic anyway, so I don't believe anything set there works if automatic - but what do you want to accomplish with that?

</vpn_networks>

xatef

thanks johnpoz for your help.
I spent so much time trying to figure this out and in the end I got it to work.
the machine hosting the firewall is a hyper-v box. I ended up separating the traffic used by pfsense from my other vlans/ networks  by giving pfsense its own NICs.

anyway at the end I got pfsense to work well. now I can start to learn more about it.

johnpoz

" I ended up separating the traffic used by pfsense from my other vlans/ networks  by giving pfsense its own NICs."

Ahh so your drawings of your physical network path was not accurate then.  Clearly should of mentioned the hyper-v setup from the get go ;)