Help (Initial installation, initial configuration and basic firewall config)
-
Hmm, if it shows packet loss then it has a route and is trying to send….
Can you ping the HH6 IP from either Diag > Ping or from the client behind pfSense? I assume that's at 192.168.1.254 if it follow the same pattern as previous HHs.
Steve
-
Hmm, if it shows packet loss then it has a route and is trying to send….
Can you ping the HH6 IP from either Diag > Ping or from the client behind pfSense? I assume that's at 192.168.1.254 if it follow the same pattern as previous HHs.
Steve
Yes, Both the client and the pfSense device can both ping the HH6.
-
Hmm, well it's possible it still has no default route somehow.
Try going to Diag > Routes and make sure there is an entry that shows something like:
IPv4 Routes Destination Gateway Flags Use Mtu Netif Expire default 192.168.1.254 UGS 476794 1500 re0If there is not go to Interfaces > WAN and click save without changing anything to re-apply the settings.
Since you initially had a subnet conflict it may have come up with something invalid. You could also try rebooting pfSense now that the conflict has been resolved.Steve
-
Hmm, well it's possible it still has no default route somehow.
Try going to Diag > Routes and make sure there is an entry that shows something like:
IPv4 Routes Destination Gateway Flags Use Mtu Netif Expire default 192.168.1.254 UGS 476794 1500 re0If there is not go to Interfaces > WAN and click save without changing anything to re-apply the settings.
Since you initially had a subnet conflict it may have come up with something invalid. You could also try rebooting pfSense now that the conflict has been resolved.Steve
Ok, great. That seems to be working in that I now have internet access on my pfSense connected device and the device itself can both ping out to google now.
Is there any way now to test that it's 100% working. I've tried resetting the firewall to block all traffic just to test but it doesn't have an impact.
-
The default settings will allow all traffic fro the LAN interface out to the WAN so that's expected.
You can add your own pass rule above the default rule on LAN and if you have logging enabled you will then see everything that is passed in the firewall logs in Status > System Logs > Firewall.
You could add another rule above that, say, block ICMP (all types) from LAN subnet to 8.8.8.8. Enable logging.
That should stop your LAN side client pinging 8.8.8.8 and log it.
It looks like there is no way to put the HH6 in bridge mode where is passes your pubic IP to pfSense. If you want that (and you should IMO ;)) you would need to use a different modem device. I use an Openreach modem for that exact purpose.
Steve
-
The default settings will allow all traffic fro the LAN interface out to the WAN so that's expected.
You can add your own pass rule above the default rule on LAN and if you have logging enabled you will then see everything that is passed in the firewall logs in Status > System Logs > Firewall.
You could add another rule above that, say, block ICMP (all types) from LAN subnet to 8.8.8.8. Enable logging.
That should stop your LAN side client pinging 8.8.8.8 and log it.
It looks like there is no way to put the HH6 in bridge mode where is passes your pubic IP to pfSense. If you want that (and you should IMO ;)) you would need to use a different modem device. I use an Openreach modem for that exact purpose.
Steve
It appears not to be working (unless I'm doing it wrong). Here's a screenshot of my firewall rule that should block outgoing ICMP to 8.8.8.8:
https://gyazo.com/e585c81d5521b81cecce22d0b32b39bd -
Firewall rules apply to traffic coming into the interface. So that rule needs to be on the LAN and above the default allow all rule.
That applies to all firewall rules except floating rules which can be defined as OUT. But don't worry about that yet! ;)
After you make the rule change you may have to wait for the existing firewall state to timeout or clear the state(s) if you have run a ping from the client recently.
Steve
-
Firewall rules apply to traffic coming into the interface. So that rule needs to be on the LAN and above the default allow all rule.
That applies to all firewall rules except floating rules which can be defined as OUT. But don't worry about that yet! ;)
After you make the rule change you may have to wait for the existing firewall state to timeout or clear the state(s) if you have run a ping from the client recently.
Steve
Ok awesome, I disabled all traffic but checked the system logs and it blocked this website for a bit so I guess it is working fine.
Last question (for now at least) is there an order to the firewall rules. For example if I wanted to block all traffic by default but I wanted to allow one IP /Protocol /application through it could I have 2 conflicting rules but place one before the other?
Just want to say how honestly thankful I am for your support. Utter legend :D Have an honestly brilliant day.
-
Read through here: https://doc.pfsense.org/index.php/Main_Page
-
Thanks man, this is exactly what I was looking for.
This entire forum is great. Thanks all
