Allow all between interfaces
-
We can't tell what you've really done based on your text description. Post screenshots of your rules. The Default Deny rule is a hidden rule that you can envision being at the very bottom of the list on each interface. Rules are processed top-down, first-match. If no rule matches, the traffic is blocked by the Default Deny rule. Neither LAN nor OPT1 should have a defined gateway; only WAN should have a gateway. By default, LAN has an Allow Any rule, but subsequent interfaces must have at least one rule manually added to allow traffic.
-
If you want your lan and wifi to talk to each other without rules then whey did you not just plug your UAP into your lan network??
Yes out of the box lan has a rule any any… So it would be able to talk to anything on the opt1 network... But opt1 has no rules out of the box as KOM explains. So you would have to create rules..
Attached is some examples that might help.. My lan can do anything it wants both on ipv4 or ipv6..
But the devices on my wlan, which has some vlans as well on this physical interface. And there are some wired devices on this wlan network segment like printers, my unifi controller, etc.. But this segment is locked down
Will walk through the rules.
so my IPad can do anything it wants to anywhere any any.
Any device on wlan (192.168.2.0/24) can ping pfsense wlan interface (192.168.2.253) ipv4 or v6
they can talk to my ntp server that is on lan segment
they can talk dns to pfsense wlan int
my AP can talk to pfsense for radius that is running on there per the radius package to auth wifi users.
I then block ALL access to any other IP on the firewall, all services, etc. etc..
I then allow anything ipv4 as long as not talking to an of my local rfc1918 networks
I then allow any ipv6 traffic as long as not to any of my ipv6 networks the /64 and /48 I have from he.net
-
Hey I tried something similar but even with your last 2 rules, the vlan cannot access WAN/internet, is there a trick on the RFC1918 alias? Because I had to do allow * From vlan net * * * in order to work. So I had to explicitly block access to other vlans.
-
No trick needed, did you forget the NOT? See the ! that says NOT rfc1918.. If you forget that than you would be just allowing traffic to rfc1918 space and not the internet.
-
No trick needed, did you forget the NOT? See the ! that says NOT rfc1918.. If you forget that than you would be just allowing traffic to rfc1918 space and not the internet.
Yeah I have the ! in front of RFC1918
It seems I need a rule to the interface IP?
-
Post screenshots of your rules.
Perhaps we could stop guessing what you're doing and see for ourselves?
-
This works, I need to add a rule to allow to the vlan's address in order to do anything wan related. I was trying to make an internet only vlan
-
What's in your rfc1918 alias?
-
VLAN28 address has nothing to do with traffic out the WAN. What you probably need is a pass rule for DNS being served by pfSense. What DNS servers are you giving to hosts on VLAN28 with DHCP, etc?
Don't confuse inability to resolve names with inability to pass traffic.
-
^ exactly you notice in my example rules I have dns open to the firewall interface in that network.
Clients on this segment use pfsense IP in that network as their dns.
What is the point of blocking traffic to vlan 13? Is it not rfc1918 space?
You should allow what you want to the firewall, then block to firewall - because your rule that is allow ! rfc1918 is going to allow traffic to pfsense wan if it not rfc1918
-
192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
-
VLAN28 address has nothing to do with traffic out the WAN. What you probably need is a pass rule for DNS being served by pfSense. What DNS servers are you giving to hosts on VLAN28 with DHCP, etc?
Don't confuse inability to resolve names with inability to pass traffic.
Still trying to understand the way pfsense administers DNS via the resolver or forwarder.. There was nothing like this on zeroshell, all it has was DNS static entries for each DHCP range.
I'm using PIA's dns servers which are defined in the General tab. Not sure if they are pushed to the clients or not..
-
^ exactly you notice in my example rules I have dns open to the firewall interface in that network.
Clients on this segment use pfsense IP in that network as their dns.
What is the point of blocking traffic to vlan 13? Is it not rfc1918 space?
You should allow what you want to the firewall, then block to firewall - because your rule that is allow ! rfc1918 is going to allow traffic to pfsense wan if it not rfc1918
Was just reading this guy's blog:
https://calvin.me/block-traffic-vlan-pfsense/
He puts an explicit rule to block certain traffic to other vlans on his guest network. I guess that doesn't matter when you have that rule with ! rfc1918.
So for rule order, I would allow say, certain host address to allow to vlan## or to pfsense GUI (via alias I guess), then start blocking in general like the ! rfc1918 rule?
Basically one vlan is setup so it has access to WAN, and few select hosts (say 192.168.15.203-205) can access another vlan's specific host (say 10.10.10.173), the rest should be blocked off from accessing anything else other than WAN. And of course no one can access PFgui except maybe 1 IP (my smartphone etc) or something like that. Or I guess doesn't even have to since I have my admin vlan to access everything anyways.
-
VLAN28 address has nothing to do with traffic out the WAN. What you probably need is a pass rule for DNS being served by pfSense. What DNS servers are you giving to hosts on VLAN28 with DHCP, etc?
Don't confuse inability to resolve names with inability to pass traffic.
Still trying to understand the way pfsense administers DNS via the resolver or forwarder.. There was nothing like this on zeroshell, all it has was DNS static entries for each DHCP range.
I'm using PIA's dns servers which are defined in the General tab. Not sure if they are pushed to the clients or not..
Well you kind of have to be sure. It's the thing that makes the most sense if the hosts are configured to use pfSense as their DNS server and adding that rule fixed "the internet."
-
That blog is a little old. Probably 2.1.5 since he didn't use This firewall.
Here's is guest access in a nutshell:
Pass the local assets guest hosts need (DNS, etc)
Reject the local assets you don't want them to access (RFC1918, other VLANs, This firewall)
Pass everything else (The internet) -
That sounds good, but to confirm can one of you post a good Guest Vlan setup? Do I really need ping to pfsense?
Here's my revised setup so far for "guest".
-
VLAN28 address has nothing to do with traffic out the WAN. What you probably need is a pass rule for DNS being served by pfSense. What DNS servers are you giving to hosts on VLAN28 with DHCP, etc?
Don't confuse inability to resolve names with inability to pass traffic.
Still trying to understand the way pfsense administers DNS via the resolver or forwarder.. There was nothing like this on zeroshell, all it has was DNS static entries for each DHCP range.
I'm using PIA's dns servers which are defined in the General tab. Not sure if they are pushed to the clients or not..
Well you kind of have to be sure. It's the thing that makes the most sense if the hosts are configured to use pfSense as their DNS server and adding that rule fixed "the internet."
Would it be possible to explain more on the DNS resolver or forwarder and how that works or what typical settings one would need on a simple home setup? Like I mentioned before, this is what I have on Zeroshell in relation to DNS.
-
LookSee Reply#16, i.e. Allow internal to This Firewall 53 for DNS server.
Server as Forwarder/cache; dispatch requests to DNS servers in System General Setup.
Server as Resolver/cache; dispatch requests to "The Root Servers". -
You need ping if you need ping. You don't if you don't.
I, personally, pass ping to the users' default gateway and DNS servers as a matter of courtesy in case someone clueful is trying to debug something.
I don't know why you don't pass what you want them to access then reject any to This firewall. Then reject any to RFC1918. Then pass any.
The only time what won't work is if you have subnets on public addresses then you'll need another alias for those.
I would love to see a Local subnets automatic alias like This firewall.
-
With Derelict here, this is right on target
Pass the local assets guest hosts need (DNS, etc)
Reject the local assets you don't want them to access (RFC1918, other VLANs, This firewall)
Pass everything else (The internet)There is never going to be a perfect setup that you can just clone because every setup is different.. If you don't understand the concepts even at a basic level and are just wanting to copy a config your in trouble. Maybe you should just stick with a off the shelf device that doesn't really even allow you control..
Out of the box pfsense does not provide authoritative name server, like bind can be authoritative.. dnsmasq (forwarder) and unbound (resolver) are not really meant to be authoritative for any domain. If what you want is an authoritative name server, then install the bind package in pfsense. Bind can then either forward or resolve. You don't seem to understand the difference between a forwarder and a resolver?? If that is the case your most likely going to be happy with just the forwarder. Your clients ask pfsense for www.google.com, it forwards that to the name servers you put in the general tab. Simple…
edit: forwarder not resolver, edited..
