Looking for some advice.
-
"I still see the DirecTV boxes(192.168.1.66-67) pinging 239.255.255.250:1900"
Yes you would.. this is from a private network.. Are you blocking private networks? If not it would be blocked by the default rule, which is normally logged. Again click on the X or move your mouse over it and you should see which rule blocked that specific traffic. Please post a picture of your rules..
What is a wan access rule?? You have port forwarded something?
-
If I block private networks, won't I be locked out?
I have port 8080 forwarded so I can access pfsense from work in case if my family has an issue and can't access the internet.
I have a feeling I am going to get educated, which by all means I need to be.
 -
The rule that blocks.
 -
No blocking private you would not be locked out.. Unless you were trying to access from a private IP??
But why do you have 8080 open to pfsense? Not a good idea to open pfsense web gui to the public internet.. Its a really really really BAD idea!! You have vpn setup, so if you want to access pfsense web gui then just VPN In..
Yes that is being blocked by the default deny rule.. If you do not want to see those then create a block rule that does not log it. Or turn off your default logging rule and create rules that log what you want to see that is blocked.
-
I thought that the 192.168 and the like were private IP's?
I have it open as I can not figure out openvpn. -
It is.. But that is not the internet that is a transit network between pfsense and your isp router. But that is all moot anyway. What is logging that block is your default deny.,
openvpn is run the wizard, export your configuration and go.. It really is that simple! if your trying to access from work - its possible work is blocking your UDP access? If so setup openvpn to use tcp on a port that is open from say 443 is pretty always open, you can even bounce off a proxy if using tcp..
-
Johnpoz, thank you for your lessons today.
I went into the modem, took the pfsense box out of the DMZ, disabled then deleted the wan access rule, and deleted the current openvpn rule. I will run the wizard again and see if I can figure it out.
Work might have it blocked.And I finally figured out openvpn. I shut off my wifi on my phone and connected without issues. AWESOME! I feel much better and maybe a little smarter thanks to your input and guidance today johnpoz.
-
what we are here for - glad could help!
-
So all three of the ports I'm using are still layer 2. I thought that with different IP's, 192.168.0 and 192.168.1, etc, it was technically a different network.
Everything on the local network is on the same layer 2 network, even with completely different address ranges. Layer 2 (MAC addresses) refers to addressing on the local network, but layer 3 (IP addresses) can be world wide, though RFC 1918 are confined to local networks.
-
^ yup, layer 2 is also LLC (logical link control) but that might getting a bit deeper than you need..
Keep in mind that you can create different layer 2 networks via smart switch, or different physical hardware.. A router would have 2 layer 2 networks its connected to.. The wan side and the lan side.. Or more even if has multiple lan or wan interfaces, etc.
The only reason rfc1918 addresses are confined to local network is they do not actually route over the internet.. If you traffic to your isp with destination of 192.168.14.100 for example.. It has no idea where to send that.. That network is not routed on the internet..
btw: not sure where you came up with the /16 in your posts.. From your post your networks on pfsense are /24.. I think users still get hung up on class of IP ranges, which has really been meaningless since cidr.. Some 24 years ago..
Yes the 192.168.0.0/16 space is defined as rfc1918 or local address space that does not route on the internet. But /16 is the whole netblock that can be used - you would never actually use a /16 mask on network you create.. That space would allow for 65k addresses, you would never put 65k address on the same layer 2/broadcast domain.. Nobody would ever be able to send real data they would all be too busy listing to broadcasts ;) The mask used to create the size of your network should be appropriate for the number of hosts you would be putting on that network.. /24 is very common because it allows for plenty of devices on that same network 254.. And it makes it very easy for humans to easy see what network it is – 192.168.X.0
