New to pfsense and issues already
-
Ok I am able to ping 8.8.8.8 and Im able to view sites
-
I dont want to block the external traffic thats the data I want to recieve
The default deny rule is working correctly - the last screenshot you posted shows external addresses trying to hit your external IP, which is correctly blocking the traffic.
Another test: Try pinging an external address from your LAN PC, such as 8.8.8.8. Do you get a response? Check your default route out on the WAN side (menu item: System/Routing and select the 'gateways' tab. Can you send a screenshot of this page also?
Last thought: Does your internal PC have the correct DNS settings? Without a valid DNS server in your network settings you won't be able to resolve internet names, which could also be creating the problem you're having.
-
Ok, if the ping works, then your firewall/router are both working correctly and the issue is almost certainly DNS. If you're using a Windows PC open a command prompt and type "nslookup www.google.com 8.8.8.8". If you get a non-authoritative answer back then you just have to add 8.8.8.8 as a DNS server in your PC's network settings.
Alternately, you could set up DHCP on your firewall to assign addresses internally. (Services/DHCP Server + LAN tab). Create a valid internal range and include a public DNS server(s) in the settings. You can try 8.8.8.8 for a start, as it's a public DNS server anyone can use.
-
I dont want to block the external traffic thats the data I want to recieve
The external traffic being blocked is traffic which is originating from the internet, not your internal network. This is normal behaviour for any firewall - you don't want anyone externally to access your firewall from outside unless you have services that you want external audiences to see, which I don't believe you do. So long as the request originates from inside your LAN, traffic will be allowed back in. It's just the traffic coming unannounced from outside that's being stopped.
-
This server is used for receiving remote CCTV video alarms so I am expecting the majority of traffic to come externally
-
Ok, so you'll need to make sure you know the following information:
1. Does the traffic from those remote CCTV alarms originate from the remote addresses of the alarms or is the traffic initiated from the internal PC?
2. If the above answer is 'traffic originates remotely' then what are the external IP addresses of the remote CCTV alarms?
3. What is the tcp (udp?) port that your internal PC is using to allow connection from those remote alarms? (this has to be visible from the outside)
If you can pass on the above info, I should be able to tell you what to do to allow access to your PC from those remote sites.
-
Ok this could be tricky
There are over 200 remote sites each with static external ip's
tcp ports that need to be open are 25, 8005, 3389, 1025, 1237, 10000, 2000, 1024, 80
up until recently we blocked all traffic unless recieved on those ports via the router in built software and had filter rules to block ip's that were spamming us I run out of available rules hence the need for pfsense
Many thanks for your input so far
-
I guess that the front-end router has been setup to port forward all incoming traffic on its public WAN to the pfSense WAN at 192.168.1.10 - since that outside traffic has found its way to pfSense WAN and been blocked and logged.
Now you need to add port forward/s and rules to allow the traffic you want and forward it to that server on LAN.
Firewall->Aliases
- make an alias with the 200 static public IP addresses that you expect traffic from
- Make an alias with the list of destination ports you want to allow traffic to reach
Firewall->NAT Port Forward - Add a port forward, click the "Advanced" button for Source. Select type "Single host or alias". Start typing the alias name of the 200 addresses - the full name will appear.
- Leave source port range "any"
- Destination should be WANaddress
- Destination port range - use the port alias you made
- Redirect target IP - address of the server on LAN
- Redirect target port - use the port alias again
- Leave "Add associated filter rule" selected at the bottom
Save it.
That should redirect all the stuff you want into your server. The associated filter rule should allow it to pass.
All other traffic on WAN is blocked, so rubbish from unknown places will simply be blocked. You can choose whether to log it or just ignore it.
-
Sorry - had to leave and only just got back to this post. Thanks, Phil - you pretty much summed up what I was going to say. The main brunt of the work will be entering all 200 addresses into the alias you'll need to set up the rule, otherwise the rest of the process should be fairly quick and painless. As Phil says, if your outside router has been set up to forward all incoming traffice regardless of port - or you've set your router to run in bridged mode - then you should be good to go.
-
The main brunt of the work will be entering all 200 addresses into the alias you'll need to set up the rule
You can copy and paste a list, one IP address per line, straight into the IP address field on the add alias screen. It will throw a big red error but will also add each IP to a separate entry - no description though. Just save.
Of course, you need to have compiled the list to start :)
-
You can also load url contents into an alias.
There is also the bulk import button on the aliases page.
 -
Ive just had a look at the list and there are a number of host names rather then addresses how would I over come this?
-
Use the URLs tab instead of IP to import the list as an alias.
Steve
-
Ok think I have managed to add whats required.
Is there a rule where I can allow all incoming traffic briefly as I am having a problem with 1 site and I want to prove its not pfsense?
-
Ok think I have managed to add whats required.
Is there a rule where I can allow all incoming traffic briefly as I am having a problem with 1 site and I want to prove its not pfsense?
When you say 'all incoming traffic', what do you mean? Do you mean allow all hosts on the internet or all ports from the hosts in your alias list?
If you are getting success from all the remote points except one, then that will indicate the forwarding is working correctly and the issue lies at the remote end of the one problem point. Before you start opening up your network to the world, I would be inclined to check the logs first. Search for the remote address of the problem site and see what rule is blocking it. This should give you a better idea of the cause of the problem without removing your security entirely. If you can't find an entry for the remote problem site then the issue will almost certainly be some rule or other blocking it at the other end.
-
Yes I mean open all ports and addresses
Yes I know this is not ideal and im aware of the dangers but I would like to have the option of allowing all addresses and ports through the firewall briefly
-
Just add a firewall rule to the WAN that allows everything. Any protocol, any source, any destination, any port.
You can disable it afterwards but leave it there in case you want to enable it again for future testing.Steve
-
What Stepehnw10 has said is pretty much it. But rather than give you instructions which would go against every professional bone in my body, maybe it would be better if you described the problem you're having with this one site? Instead of giving you advice which would leave your system open to a potentially devastating attack it would probably be far more constructive to help with the actual issue. Can you give details on what the difficulty is?
If you'd rather not go into it, then fine. But don't say I didn't warn you.
-
That's a good point. Whatever you do make sure you remove/disable the rule afterwards. ;)
A safer way to test if traffic is arriving from your suspect location would be to run a packet capture on WAN and thgen search it for the address.
There are also options to disable the firewall completely if you need to.
Steve
-
Even adding those rules it still appears there is 0 traffic reaching the LAN looking at the firewall log its shows traffic but its all being blocked still with so much down time think im going to have to abandon the use of PFsense as its just not user friendly
