@gianpaoloracca UPDATE:
you can scroll dragging the column header.
So it's clunky but it works.

@unififcf said in Block Internal vLan from accessing Web UI:

they said it is a TrueNAS

Ah - yeah they do not have a "gui" to admin it, but you can for sure configure ipfw on it and manually setup the rules. Haven't played with that in long time.

But ipfw can be its own learning curve for sure - yeah best to move that to different vlan than all your users and just use pfsense.

@steveits Thanks again. I will try it one more time. My hot spot has a different subnet than the internal networks. It seems really strange that I can't ping my hot spot from either on of my internal networks.

Thanks

@craigerr1 is P2P? Mobile?
Have u open the rules in both sides to allow traffic on your firewalls->rules->ipsec?
Regards!!!

@johnpoz Thank you so much again. Understand all.

Couple of clarifications:

Yes, understood, I was looking to be able to access pfsense and the LAN, but not the internet, in this instance. Either way, everything you said helped clarify it for me and I both understand it and got it configured and working. :))

2a. Mine is manual, but yes, great points and idea.
The allow rule you are referring to, would be an allow any and the gateway or default gateway correct?

Correction: Vlan 1 includes all ports as members, then port 1 (trunk) is tagged in every vlan. Is that correct configuration?

Also, on one of the switches I am looking at (all are good, one is high-end) I noticed that VLAN 1 (under its VLAN ID tab in membership), is an untagged member in every port as well. This includes ports with the assigned untagged VLAN also. That is incorrect?
Should only be the vlan assigned to that port untagged, correct?

Okay, and if a block egress rule in floating, that would go on the WAN or other gateway as previously discussed, correct?

edit: 1 neither tagged nor untagged now in ports with other vlans untagged on them. All seems to be working, so thinking that is the correct config. :)
Therefore, now not all ports are members on vlan 1, but port 1 (trunk) is tagged on each vlan on other ports.
ex: VLAN ID. ** Port Member
1 ** 1 17 27 (not a member of ports with vlans assigned untagged)
10 ** 1 2 (vlan 10 U on port 2)
Port 1 tagged on every vlan
(formatting issue so had to use * to separate rather than columns)

@johnpoz Okay, all makes sense as always from you. Thank you.

And yes, pfblocker is definitely on the list to learn and setup.

Also: I just setup a new switch and it has brought me to one last issue I'm having trouble with regarding management and isolated LAN. Seems to be of interest from the posts I've read, but no real answers I've seen, so I am going to start another thread, easier to find related topic for others, with last questions for you. Hope you do not mind...

Very thankful for this discussion. Provided a much greater understanding of many things and overall.

For those reading: As to this specific issue, one that I saw many posts about, but this solution I have not seen:

Just found this under logs-->firewall-->settings. I tested it and worked for the noise. Just don't know if will be losing any other and important logging with it. Looking at default block rules I do not think so, but not sure.

Screen Shot 2021-09-28 at 08.20.10.png

@peter_apiit said in Not able to ssh to outside world (WAN):

connect my company jumphost using ssh

Can you change the settings of this ssh access ?
Change the '22' port to '2222' and you'll be good.

@bob-dig
I temporarily disabled my feed and added reddit.com and www.reddit.com to the DNSBL Custom_List and the website (and others) is still not blocked. (Yes, I did a force update all)

I have tried on different computers on the network and they can still access it.

I have also tried on three different browsers.

I am really confused why some sites are blocked while others are not.

Turns out I need to "sudo" with my dedicated user for the command to work. Like this

sudo easyrule block lan 192.168.1.21

Musste leider feststellen, dass "meine" Lösung wohl nur eine gewisse Zeit funktioniert. Irgendwann scheint es so, dass Windows den "ersten" DNS-Server nicht mehr nutzt und daher interne Namen nicht mehr auflöst.
Habe daher vorerst auf IPs umgestellt.

@jack7076 transparent squid does not work with policy routing. Squid binds to wan. Policy routing is done before it reaches wan

@NOCling @the-other ,

das mit dem VLAN ist ne gut Idee, ich muss mir erstmal den switsch anschauen.
(Ist ein kleiner HP 8 Port Gigabit switch)

Werde mir das auf die todo Liste setzten wenn ich mal wider vor Ort bin.

Wen der VLANs kann werde ich mich ggf. wegen der Konfiguration nochmal melden.

Gruß Peter

edit:
on the SG-3100 I have determined that I did not have the switch ports assigned/enabled to any vlans and after that it gave me DHCP on the lan ports and vlans. however I am still with the issue of some devices getting IP's and some not, on the same laptop over Wi-Fi nothing wired something. My travel AP does not support vlans so it has to be on the base level. and none of my non-Mac computers seem to be getting DHCP. And I don't know what caused it but I managed to crash my old router and ALL INTERNETs last night plugging in the new one to do a test. I went out and bought 4 manageed switches so I could break out all of my VLANs to test, and it was the only ez way to solve ingesting my multiple travel WAN VLANS ( local lan, Wi-Fi, Wi-Fi hotspot, wired LTE modem).

If you set pfBlocker to "native alias" instead of block, that will just create an alias and you can create your own block/allow rules however you want them.

@mickman99 Sorry mal wieder die späte Rückmeldung. Habe jetzt Urlaub und kann mich dem Thema wieder expliziter widmen.

Tatsächlich wird der Präfix einwandfrei auf die Interfaces verteilt und stimmen auch mit dem Präfix mit dem der FRITZ!Box überein. Laut Log der FRITZ!Box wird das verteilte Netz an das LAN Interface auch erkannt und als Exposed Host freigegeben.

Ich vertraue allerdings der Firewall der FRITZ!Box nicht so ganz. Ich richte parallel bei einem Nachbar einen OpenVPN Server über IPv6 ein. Auch dort wird der eingehender Verkehr trotz Exposed Host (natürlich nur zum Test so freigegeben) rejected. Sinn macht das nicht.

Zusätzlich ist bei meiner pfsense das Problem aufgetreten, wenn viele Daten auf einmal verarbeitet werden müssen, dass der interne DNS Server abschmiert. Da habe ich auch die Vermutung, dass es an der FRITZ!Box liegt. Der Log der Fritte verrät da allerdings nicht so viel...

@pfuzer pfsense with pfblockergng-dev and suricata

Hallo Zusammen,

vielen Dank für die vielen Antworten.
Ich werde das ganze am Wochenende mal trennen.
Das macht Sinn ja. :)
Aktuell komme ich nur nicht dazu, weshalb das ganze hier etwas eingeschlafen ist.
Bei einem anderen Peer klappts scheinbar.
Sehe merkwürdig.
Aber ja, trennen macht sinn.

Danke erstmal.

@pooperman

there is some issue with SSL handshake:

1.JPG

I'm having the same issue with pfBlocker and NAT rules. I have no issues adding white-list rules for my devices that are on a directly routed subnet. But trying to figure out how to handle an allow rule for an existing NAT rule is causing issues.

Have you found any solution yourself as of yet?

@Rico sadly doesn't seem to solve the issue.

I deployed the OpenVPN on ubuntu behind the firewall and forwarded the port, now I got it working.
I am not sure why it's not working, to be honest, but the fact that it worked for a while and that its very slow without using any resources makes me believe something is unstable there, possibly with how my hosting solution manages VM's.

Anyway thank you for all the help.

Which VPN service are you using? Almost all mainstream providers offer a split tunneling feature that allows you to choose which data to send through the VPN and which not. I use PureVPN but many others like ExpressVPN offer the same with their apps.

No need tu put it off, because

The style of routing described on that link won't work since pfSense doesn't enable the options for multiple routing tables

So, what isn't implemented can't be switched off - neither on.

@Gertjan shodan.io is a service that scans the internet for known exposure and for vulnerabilities

i remember you are french, so I link you here a video in French on the subject https://youtu.be/SxjmOFBtsvk

Thanks dear for your kind reply :)