Can't allow just HTTP or HTTPS traffic out
-
I have a pretty fresh install of pfSense, updated to the latest version. I simply have 2 interfaces, my WAN and LAN. My WAN connects directly to my cable modem, and my LAN interface is assigned a 192.168.1.x address.
I have the default WAN blocks in place, bogon networks and private networks. Up until now, I've had the default LAN firewall rules in place, which were the anti-lockout rules and ANY rules. I've recently begun to start limiting internal ports, however in starting to this, I seem to be running into a problem. Whenever I disable the default any to any rule on my LAN, and add rules to allow HTTP and HTTPS, I can't browse any sites at all. The configuration seems simple enough to me, but maybe I'm just being a little thick? I've attached a screenshot of the rules I've setup in hopes I can get some suggestions.
Thanks
-
your client might also need TCP/UDP port 53 services also, like dns or something similar ;)
Try with a simple modification to your firewall rules, add icmp rule, so you can ping and ping first like 8.8.8.8 and www.google.com
if first one pass, ok your icmp rule works, if another one works then you don't need dns ruleBUT NOTICE that you'll need to ping from client machine not from firewall
-
That allows HTTP and HTTPS, if you strictly browse by IP. :) Have to allow DNS too, TCP/UDP 53.
-
::SMACKS FOREHEAD:: Duh! Exactly the problem. Once I enabled port 53, I was good. Thanks for both responses.
I was kind of following the basic guide at http://doc.pfsense.org/index.php/Example_basic_configuration and it didn't even mention opening port 53.
-
Glad to hear that.
-
"it didn't even mention opening port 53."
Does it really need too? And it does mention it in the outbound dmz section
If you use an external DNS server you will need to allow the computers to leave the network to connect to a DNS server.
Allow TCP\UDP 53 from DMZ subnet (DNS) to ip of primary DNS server
Allow TCP\UDP 53 from DMZ subnet (DNS) to ip of secondary DNS server