• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Interface subnet misconfigured /32 and firewall default allow rule

Scheduled Pinned Locked Moved Firewalling
7 Posts 4 Posters 842 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    bogdanm
    last edited by Nov 18, 2019, 1:43 PM

    I misconfigured (probably for some time) LAN interface to be 192.168.1.1/32 instead of 192.168.1.1/24.
    The "Default allow LAN to any rule" is on interface "LAN" allow "LAN net" to "any" ("LAN net" I presume is 192.168.1.1/32)
    Can you tell me why traffic is passed from all subnet 192.168.1.1/24 to WAN? (internet is working properly for computers in 192.168.1.1/24)
    If I set network 192.168.1.1/32 instead of "LAN net" traffic will be dropped (cannot acces internet from computers in subnet 192.168.1.1/24)
    I think PFSense is finding that /32 is invalid from LAN and use another submask (but in DHCP server LAN interface will not appear for selection - I don't use DHCP server for this LAN) .

    Thanks.

    J 1 Reply Last reply Nov 18, 2019, 4:33 PM Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by johnpoz Nov 18, 2019, 2:42 PM Nov 18, 2019, 2:33 PM

      lets see your rules.. Also look at your full rules.

      pfctl -sr

      You would see what your lan net is set to.. So for example
      pass in quick on igb0 inet from 192.168.9.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"

      Do you have anything on floating?

      Maybe your devices using IPv6 to get out? Are you running transparent proxy? Or explicit proxy?

      BTW

      for computers in 192.168.1.1/24

      Is not a network, that is a host address.. 192.168.1.0/24 would be the network.

      I just changed my test network to /32 for the interface, and did a force reload of the rules to make sure.. And now if I look at the rules, it only allows its address with no mask

      pass in quick on igb4 inet from 192.168.200.1 to any flags S/SA keep state label "USER_RULE: Allow Internet"

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      B 1 Reply Last reply Nov 18, 2019, 3:19 PM Reply Quote 0
      • B
        bogdanm @johnpoz
        last edited by Nov 18, 2019, 3:19 PM

        @johnpoz
        In Interfaces->LAN (em1) is configured: Static IPv4 Configuration 192.168.10.2 / 32 (I replaced with a generic ip 192.168.1.1/32 in my post).
        with pfctl -sr:
        pass in quick on em1 inet from 192.168.10.2 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
        pass in quick on em1 inet from 192.168.10.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"

        if I put In Interfaces->LAN (em1) Static IPv4 Configuration 192.168.10.2 / 24:
        with pfctl -sr
        pass in quick on em1 inet from 192.168.10.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"

        No ipV6, VLAN or floating rules, but the firewall configuration is older (more than 2 years) and somewhat complicated (2 WAN, Openvpn, multiple port forwards). I will try same thing on a new installation.

        Thanks.

        1 Reply Last reply Reply Quote 0
        • J
          JKnott @bogdanm
          last edited by Nov 18, 2019, 4:33 PM

          @bogdanm said in Interface subnet misconfigured /32 and firewall default allow rule:

          Can you tell me why traffic is passed from all subnet 192.168.1.1/24 to WAN?

          When a device sends a packet, it compares the network portion of the address with that of the local network. It does this by using the subnet mask, to isolate the network portion of the address. With a /32 subnet mask, there can only be one device on the local network and so any other address within 192.168.1.0 /24 must be elsewhere and traffic for it is sent out to the gateway.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • J
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz Nov 18, 2019, 4:57 PM Nov 18, 2019, 4:56 PM

            @bogdanm said in Interface subnet misconfigured /32 and firewall default allow rule:

            pass in quick on em1 inet from 192.168.10.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"

            Well that rule would allow it... So you have 2 rules there one that is with the /32 the .10.2 and then another with 10.0/24 the network that would allow anything in that network. So you didn't reload your rules after you changed it?

            But that rule you show would for sure allow the traffic - so that explains why its allowed even though you have a /32 on your interface. And thinking lan net should only be itself.. Which is the rule above... Why you have 2 rules I don't know.. You prob didn't do a reload.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • D
              Derelict LAYER 8 Netgate
              last edited by Nov 18, 2019, 5:03 PM

              @johnpoz said in Interface subnet misconfigured /32 and firewall default allow rule:

              Why you have 2 rules I don't know.

              My guess would be it was duplicated by user action and the netmask corrected.

              Show us Firewall > Rules, LAN, Firewall > Virtual IPs

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • B
                bogdanm
                last edited by Nov 18, 2019, 5:45 PM

                Yes, is from Virtual IP - 192.168.10.7/24 is an IP alias - the pfsense router has replaced two single wan routers - 192.168.10.2/24 and 192.168.10.7/24 some years ago.

                I tested on an pfsense VM and replicated the double allow rule.
                Thanks for help, good to know that pfsense is reliable and is a user error.

                1 Reply Last reply Reply Quote 0
                7 out of 7
                • First post
                  7/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received