Isolate VLAN but pass DHCP & Internet?
-
So removing all allow any rules on a lan we don't need to pass UDP on ports 67 & 68 for DHCP so long as dhcpd is running?
-
@pfbasic.. when you enable dhcpd on an interface in pfsense. Yes it creates rules that you can not see in the gui that allow dhcpd to function.
You can view these rules if you want via cmd line.
https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_rulesetEven if you just running a dhcp relay these rules are auto created.. Could you see the amount of forum traffic it would create if users had to create rules for dhcp to function ;) While would like a way to show all rules… Sometimes its best not to confuse new users ;)
-
That is very cool, thank you! I guess I'll go delete that rule haha.
-
well look on pfsense - what is its wan IP? Hit that in your browser on the port you have your gui listening on, etc.
I could not reach the gui at the WAN IP from the VLAN.
-
Then you did it wrong. There is nothing in those rules blocking the same. The traffic will be passed by the last rule.
-
So you either altered your rules, or went to wrong IP or port. There is nothing in those rules that stops a box on the opt net from talking to any port it wants on the firewalls opt net interface, or the wan IP via optnet.. So yeah your going to be able to hit the pfsense web gui, ssh to pfsense, etc.
-
Here is what I did.
-
Plugged laptop into correct vlan port on switch (laptop received correct IP, 192.168.20.5)
-
Browsed via Chrome to my public IP supplied from ISP on the correct port
-
Browser could not reach the gui
Could it be because I have the "Block private networks and loopback addresses" and "Block Bogons" options checked on the WAN interface?
-
-
I've added this rule to block the WAN. I've tried to browse to the WAN IP and it cant reach it..
-
Just pass the specific things on the firewall you want them to be able to access (like DNS) then block any to This Firewall (self).
-
Does that last pic of the rule set achieve what I'm after? Blocking IOTnet from everything except the internet? That's all I'm trying to do.
It seems like it does based on trying to access things from the laptop when plugged into the IOT vlan port.
-
This firewall (self) makes more sense as the destination of your last rule than WAN net.
-
This firewall (self) makes more sense as the destination of your last rule than WAN net.
As soon as I switch it to "This Firewall (self)" devices on IOT loose internet connection fyi…
-
Well post up your current rules.. Yes if you block access to the firewall before you allow for dns say then no the internet is not going to work if your using pfsense for your dns.. Or if you running a proxy and block access to the firewall before you allow the proxy port, etc. etc.
Rules are evaluated top down as traffic enters the interface, first rule to trigger wins and no other rules are evaluated. If the traffic is not allowed then it hits the default deny and would be blocked.
-
I've added the DNS NAT forward & rule that I did on the LAN interface (from the Squid setup post: https://forum.pfsense.org/index.php?topic=112335.0) to this interface as well. The devices are reaching the internet now.
If there is a better way of forcing all devices to use pfsense for the DNS (I'm using the DNS resolver) please let me know..
edit: found this: https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense