Allow all between interfaces
-
Hi All, I am sure this is really simple but I am not having any luck. I am using the LAN interface for local LAN connections and the OPT1 interface for Wifi. I have a Ubiquity WAP plugged in to OPT1. Both interfaces have internet access but nothing on either interface can talk to the other with the exception of the pfSense gui. I can access the gui from OPT1 and LAN. It might be worth mentioning that I could not access the gui from OPT1 until after I created a gateway for the LAN interface IP and for the OPT1 ip.
In my firewall rules for the LAN at the top I have an allow any LAN net to OPT1 net and the OPT1 rule at the top is allow any OPT1 net to LAN net.
The LAN ip range is 192.168.2.0/24 and the OPT1 range is 10.10.10.0/24. Both interface ips are .1 in their respective range.
Everything I read seems to indicate that anything on either interface can talk to the other unless I create a rule telling them not to but that isn't happening, with or without the rules I created.
-
I looked in the logs for traffic that was blocked and this is the error I have:
"The rule that triggered this action is:
@5(1000000103) block drop in log inet all label "Default Deny rule IPv4"
I looked at all of my firewall rules and there is no "default deny rule IPV4"
Any suggestions on where I should look for this?
-
We can't tell what you've really done based on your text description. Post screenshots of your rules. The Default Deny rule is a hidden rule that you can envision being at the very bottom of the list on each interface. Rules are processed top-down, first-match. If no rule matches, the traffic is blocked by the Default Deny rule. Neither LAN nor OPT1 should have a defined gateway; only WAN should have a gateway. By default, LAN has an Allow Any rule, but subsequent interfaces must have at least one rule manually added to allow traffic.
-
If you want your lan and wifi to talk to each other without rules then whey did you not just plug your UAP into your lan network??
Yes out of the box lan has a rule any any… So it would be able to talk to anything on the opt1 network... But opt1 has no rules out of the box as KOM explains. So you would have to create rules..
Attached is some examples that might help.. My lan can do anything it wants both on ipv4 or ipv6..
But the devices on my wlan, which has some vlans as well on this physical interface. And there are some wired devices on this wlan network segment like printers, my unifi controller, etc.. But this segment is locked down
Will walk through the rules.
so my IPad can do anything it wants to anywhere any any.
Any device on wlan (192.168.2.0/24) can ping pfsense wlan interface (192.168.2.253) ipv4 or v6
they can talk to my ntp server that is on lan segment
they can talk dns to pfsense wlan int
my AP can talk to pfsense for radius that is running on there per the radius package to auth wifi users.
I then block ALL access to any other IP on the firewall, all services, etc. etc..
I then allow anything ipv4 as long as not talking to an of my local rfc1918 networks
I then allow any ipv6 traffic as long as not to any of my ipv6 networks the /64 and /48 I have from he.net
-
Hey I tried something similar but even with your last 2 rules, the vlan cannot access WAN/internet, is there a trick on the RFC1918 alias? Because I had to do allow * From vlan net * * * in order to work. So I had to explicitly block access to other vlans.
-
No trick needed, did you forget the NOT? See the ! that says NOT rfc1918.. If you forget that than you would be just allowing traffic to rfc1918 space and not the internet.
-
No trick needed, did you forget the NOT? See the ! that says NOT rfc1918.. If you forget that than you would be just allowing traffic to rfc1918 space and not the internet.
Yeah I have the ! in front of RFC1918
It seems I need a rule to the interface IP?
-
Post screenshots of your rules.
Perhaps we could stop guessing what you're doing and see for ourselves?
-
This works, I need to add a rule to allow to the vlan's address in order to do anything wan related. I was trying to make an internet only vlan
-
What's in your rfc1918 alias?
-
VLAN28 address has nothing to do with traffic out the WAN. What you probably need is a pass rule for DNS being served by pfSense. What DNS servers are you giving to hosts on VLAN28 with DHCP, etc?
Don't confuse inability to resolve names with inability to pass traffic.
-
^ exactly you notice in my example rules I have dns open to the firewall interface in that network.
Clients on this segment use pfsense IP in that network as their dns.
What is the point of blocking traffic to vlan 13? Is it not rfc1918 space?
You should allow what you want to the firewall, then block to firewall - because your rule that is allow ! rfc1918 is going to allow traffic to pfsense wan if it not rfc1918
-
192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
-
VLAN28 address has nothing to do with traffic out the WAN. What you probably need is a pass rule for DNS being served by pfSense. What DNS servers are you giving to hosts on VLAN28 with DHCP, etc?
Don't confuse inability to resolve names with inability to pass traffic.
Still trying to understand the way pfsense administers DNS via the resolver or forwarder.. There was nothing like this on zeroshell, all it has was DNS static entries for each DHCP range.
I'm using PIA's dns servers which are defined in the General tab. Not sure if they are pushed to the clients or not..
-
^ exactly you notice in my example rules I have dns open to the firewall interface in that network.
Clients on this segment use pfsense IP in that network as their dns.
What is the point of blocking traffic to vlan 13? Is it not rfc1918 space?
You should allow what you want to the firewall, then block to firewall - because your rule that is allow ! rfc1918 is going to allow traffic to pfsense wan if it not rfc1918
Was just reading this guy's blog:
https://calvin.me/block-traffic-vlan-pfsense/
He puts an explicit rule to block certain traffic to other vlans on his guest network. I guess that doesn't matter when you have that rule with ! rfc1918.
So for rule order, I would allow say, certain host address to allow to vlan## or to pfsense GUI (via alias I guess), then start blocking in general like the ! rfc1918 rule?
Basically one vlan is setup so it has access to WAN, and few select hosts (say 192.168.15.203-205) can access another vlan's specific host (say 10.10.10.173), the rest should be blocked off from accessing anything else other than WAN. And of course no one can access PFgui except maybe 1 IP (my smartphone etc) or something like that. Or I guess doesn't even have to since I have my admin vlan to access everything anyways.
-
VLAN28 address has nothing to do with traffic out the WAN. What you probably need is a pass rule for DNS being served by pfSense. What DNS servers are you giving to hosts on VLAN28 with DHCP, etc?
Don't confuse inability to resolve names with inability to pass traffic.
Still trying to understand the way pfsense administers DNS via the resolver or forwarder.. There was nothing like this on zeroshell, all it has was DNS static entries for each DHCP range.
I'm using PIA's dns servers which are defined in the General tab. Not sure if they are pushed to the clients or not..
Well you kind of have to be sure. It's the thing that makes the most sense if the hosts are configured to use pfSense as their DNS server and adding that rule fixed "the internet."
-
That blog is a little old. Probably 2.1.5 since he didn't use This firewall.
Here's is guest access in a nutshell:
Pass the local assets guest hosts need (DNS, etc)
Reject the local assets you don't want them to access (RFC1918, other VLANs, This firewall)
Pass everything else (The internet) -
That sounds good, but to confirm can one of you post a good Guest Vlan setup? Do I really need ping to pfsense?
Here's my revised setup so far for "guest".
-
VLAN28 address has nothing to do with traffic out the WAN. What you probably need is a pass rule for DNS being served by pfSense. What DNS servers are you giving to hosts on VLAN28 with DHCP, etc?
Don't confuse inability to resolve names with inability to pass traffic.
Still trying to understand the way pfsense administers DNS via the resolver or forwarder.. There was nothing like this on zeroshell, all it has was DNS static entries for each DHCP range.
I'm using PIA's dns servers which are defined in the General tab. Not sure if they are pushed to the clients or not..
Well you kind of have to be sure. It's the thing that makes the most sense if the hosts are configured to use pfSense as their DNS server and adding that rule fixed "the internet."
Would it be possible to explain more on the DNS resolver or forwarder and how that works or what typical settings one would need on a simple home setup? Like I mentioned before, this is what I have on Zeroshell in relation to DNS.
-
LookSee Reply#16, i.e. Allow internal to This Firewall 53 for DNS server.
Server as Forwarder/cache; dispatch requests to DNS servers in System General Setup.
Server as Resolver/cache; dispatch requests to "The Root Servers".