Same firewall rules on 2 VLANs; different results (SOLVED)

johnpoz

Why would you be blocking bogon on a LAN side interface??  Do you really think someone is going to fire up a bogon IP scheme on your network?  If all your rules are limited to their source network, then doesn't matter what IP scheme they use it wouldn't get through the firewall rules.

Pretty sure bogon include 0.0.0.0 which could cause you some grief..  I believe pfsense pulls out the rfc1918 that is normally in there as well.  There is zero reason to use bogon on a lan side interface connected to a network you control, and where your rules are limited to the source network of that interface as well ;)

jschl1

Thanks for the advice.  I have changed DNS rules to include TCP/UDP.  Have deleted Bogon networks rule but still can't access internet on just one VLAN50.  My DHCP Services are identical on both VLANs (see attached).  I'm trying to sort through firewall logs but it seems there are no entries associated with VLAN50.  I'm total Newbie so may not be doing this correctly but I entered name VLAN50_WIRED_PLEX under Interface section of Advanced Filter Log.  In the DHCP log I get DHCPACK and DHCPREQUEST entries for VLAN50 when I have internet access (when 'Block access to LAN' rule is disabled).  When I don't have internet access I get  'creating resolv.conf.'

Again, so weird because exact same DHCP and Firewall settings on other VLAN work as expected.

Any tips on what to search for in firewall or DHCP logs? Other Thoughts?  Sorry for my cluelessness :)  Thanks!

John


johnpoz

Common mistake see is if you changed your outbound nat to manual, and then created a new vlan.  Pfsense would not be able to nat this network to your wan IP.  And no internet.

While your allowing dns to pfsense on this vlan - is dns even listening on this interface.  If you had changed the default of all interfaces for say unbound to specific interfaces unbound might not be accepting connections for dns on this interface.

Also if you had changed the automatic ACL settings for unbound, its possible no ACL to allow queries from this network even if listening on it.

Can your client actually resolve anything on the internet.  Can you say ping www.google.com and get back an IP?  Or use your fav dns client, nslookup, dig, host, etc. to validate you can actually resolve.

jschl1

Haven't changed the default Outbound NAT- still on Automatic.  I can not ping internet addresses if I block access to LAN (can't resolve), but can if I disable the block access to LAN rule.

John

Derelict

If there are two different results there are two different configurations.

Please provide:

On VLAN 40:

From the test host:
host address
default gateway
configured name servers on that host
ping to that hosts default gateway
ping to 8.8.8.8
nslookup results (dig would be better) to all configured nameservers for www.google.com and xyxyx.google.com (no, not a typo)

On VLAN 50:

From the test host:
host address
default gateway
configured name servers on that host
ping to that hosts default gateway
ping to 8.8.8.8
nslookup results to all configured nameservers for www.google.com and xyxyx.google.com

Screen shots of the rules as they existed during all of these tests

PM a copy of the /tmp/rules.debug file.

jschl1

Oops.  It turns out NONE of my VLANs has internet access when 'Block VLAN access to LAN' rule is enabled.  VLAN40 only had internet access because the Unifi switch port that it was plugged into was tagged incorrectly, and it was getting IP address from different subnet.  I'm so sorry.

So I'm including the info that Derelict requested for VLAN50- both with all firewall rules in place (No Internet Access-see screenshot) and with 'Block VLAN access to LAN' rule disabled (Internet Access).

I've PM'd you (Derelict) my rules.debug file.

Really appreciate this!!

VLAN50 (with all firewall rules active-No Internet Access-see screenshot)

host address: 192.168.50.100
default gateway: 192.168.50.1
name server: left blank (at default).  See screenshot
Ping to default gateway:  I can ping 192.168.50.1
Ping to 8.8.8.8: I can ping 8.8.8.8
nslookup to www.google.com:  connection timed out
nslookup to xyxyx.google.com: connection timed out

VLAN50 (with ‘Block DNS from VLAN50’ rule and “Block VLAN50 access to LAN” rule disabled- Has Internet Access- see 2nd screenshot)
Ping to default gateway:  I can ping 192.168.50.1
Ping to 8.8.8.8: I can ping 8.8.8.8
nslookup to www.google.com:

Server: 192.168.2.99
Address: 192.168.2.99#53
Non-authoritative answer:
Name: www.google.com
Address: 216:58:193:164

nslookup to xyxyx.google.com:

Server: 192.168.2.99
Address: 192.168.2.99#53
**server can’t find xyxyx.google.com: NXDOMAIN

John


Derelict

Are you saying this is solved? No offense but I really don't want to spend time on it if it is working. If something still isn't working please describe exactly what that is.

jschl1

No not solved. Problem is can't access internet when I block access to LAN.  I originally thought it was only on one VLAN but it's true for all of them.  Thanks.
John

jahonix

Do you use DNS resolver or forwarder, are the interfaces for the DNS server set correctly?

In case of the now default DNS resolver this would be:

Network Interfaces
Interface IPs used by the DNS Resolver for responding to queries from clients. If an interface has both IPv4 and IPv6 IPs, both are used. Queries to other interface IPs not selected below are discarded. The default behavior is to respond to queries on every available IPv4 and IPv6 address.

Make sure it servers on your VLAN40 and VLAN50 interfaces.

The "Outgoing Network Interfaces" is unlikely to be set incorrectly.

jschl1

I'm using DNS Resolver, with Network Interfaces set to All.  You can see my settings for DHCP Server on VLAN50 in attachment above, named VLAN setup.png.

Thanks!

John

Derelict

VLAN50 (with ‘Block DNS from VLAN50’ rule and “Block VLAN50 access to LAN” rule disabled- Has Internet Access- see 2nd screenshot)
Ping to default gateway:  I can ping 192.168.50.1
Ping to 8.8.8.8: I can ping 8.8.8.8
nslookup to www.google.com:

Server: 192.168.2.99
Address: 192.168.2.99#53
Non-authoritative answer:
Name: www.google.com
Address: 216:58:193:164

nslookup to xyxyx.google.com:

Server: 192.168.2.99
Address: 192.168.2.99#53
**server can’t find xyxyx.google.com: NXDOMAIN

Your VLAN 50 host is querying Server: 192.168.2.99 for DNS. See the nslookup output above.

You are only passing tcp/udp port 53 to 192.168.50.0/24. That rule will not match that DNS server and thus will fall through to the next rule:

pass  in  quick  on $VLAN50_WIRED_PLEX inet proto { tcp udp }  from any to 192.168.50.0/24 port 53 tracker 1526234331 keep state  label "USER_RULE: ALLOW DNS TO VLAN50"

When you have the block to LAN rule enabled, those DNS queries are blocked:

block  in  quick  on $VLAN50_WIRED_PLEX inet from 192.168.50.0/24 to { 192.168.2.0/24 10.10.10.1/32 } tracker 1526234439  label "USER_RULE: Block VLAN50 access to LAN"

When you have that rule disabled, those queries are passed:

pass  in  quick  on $VLAN50_WIRED_PLEX inet from 192.168.50.0/24 to any tracker 1526234459 keep state  label "USER_RULE: Allow all rule"

It really does matter what DNS servers your clients are configured to use. I don't know why the client is trying to query 192.168.2.99. You'll have to figure that out.

jschl1

Thanks so much for all your time and help!! Got it working.

John