@johan-2 Ah. Not using pfSense as the gateway, then. :)

@rennit I guess? With VLANs AFAIK there are two ways to get the VLAN assigned. Either something assigns it (AP, switch) or the device's network config has a VLAN. With the latter, someone with knowledge can change, add, or remove the VLAN tag. If the switch allows the new-VLAN packet on that port then it gets passed on. Normally that's blocked by a managed switch, but generally unmanaged gigabit switches will pass packets without regard for VLAN.

Otherwise something would need to be removing the tag from the packets, in order to cross over to another VLAN.

@viragomann
that did work, anything else I can try?

@yquirion I was surprised as well and was hoping it did not change my configuration which it did not. I was not aware about querying the database so I learned a very nice thing from you as well.

@viragomann & @Gertjan

Thanks for your help!

Managed to solve it with a floating firewall rule! I only tried to block it from the interface that I thought the traffic originated from first. But now I tried to add a floating rule that blocked the traffic from all interfaces that shouldn't have access to it, and it worked!

@przemyslaw85 dzięki za odpowiedź. Jedynie zacząłem używać czasami wireguarda na komórce. Do stronki www mam wykupiony hosting. Póki co mam zintegrowaną kartę intela + tplinka ale chcę kupić właśnie jakąś intela. pfBlocker jeszcze nie konfigurowałem (używam snorta) Mój PC (router) to dell optiplex 7010 i5-3570 16GB ram i SSD 256GB

Pozdrawiam

@jbeez fixed... definitely user error. I was restoring a filter.inc from a prior version. Restored the proper one and its good to go.

Are you running pfBlocker? Snort/Suricata?

Anything show as blocked?

Steve

So, after some further digging, I discovered a couple things.

You have to actually assign the tunnel to an interface The MacOS Wireguard app doesn't support .ddns.net domains

Thank you for your help, once I assigned the interface correctly everything worked like a charm.

@bob-dig Yes, I can ping the domain name and receive a response from the firewall.

@gianpaoloracca UPDATE:
you can scroll dragging the column header.
So it's clunky but it works.

@unififcf said in Block Internal vLan from accessing Web UI:

they said it is a TrueNAS

Ah - yeah they do not have a "gui" to admin it, but you can for sure configure ipfw on it and manually setup the rules. Haven't played with that in long time.

But ipfw can be its own learning curve for sure - yeah best to move that to different vlan than all your users and just use pfsense.

@steveits Thanks again. I will try it one more time. My hot spot has a different subnet than the internal networks. It seems really strange that I can't ping my hot spot from either on of my internal networks.

Thanks

@craigerr1 is P2P? Mobile?
Have u open the rules in both sides to allow traffic on your firewalls->rules->ipsec?
Regards!!!

@johnpoz Thank you so much again. Understand all.

Couple of clarifications:

Yes, understood, I was looking to be able to access pfsense and the LAN, but not the internet, in this instance. Either way, everything you said helped clarify it for me and I both understand it and got it configured and working. :))

2a. Mine is manual, but yes, great points and idea.
The allow rule you are referring to, would be an allow any and the gateway or default gateway correct?

Correction: Vlan 1 includes all ports as members, then port 1 (trunk) is tagged in every vlan. Is that correct configuration?

Also, on one of the switches I am looking at (all are good, one is high-end) I noticed that VLAN 1 (under its VLAN ID tab in membership), is an untagged member in every port as well. This includes ports with the assigned untagged VLAN also. That is incorrect?
Should only be the vlan assigned to that port untagged, correct?

Okay, and if a block egress rule in floating, that would go on the WAN or other gateway as previously discussed, correct?

edit: 1 neither tagged nor untagged now in ports with other vlans untagged on them. All seems to be working, so thinking that is the correct config. :)
Therefore, now not all ports are members on vlan 1, but port 1 (trunk) is tagged on each vlan on other ports.
ex: VLAN ID. ** Port Member
1 ** 1 17 27 (not a member of ports with vlans assigned untagged)
10 ** 1 2 (vlan 10 U on port 2)
Port 1 tagged on every vlan
(formatting issue so had to use * to separate rather than columns)

@johnpoz Okay, all makes sense as always from you. Thank you.

And yes, pfblocker is definitely on the list to learn and setup.

Also: I just setup a new switch and it has brought me to one last issue I'm having trouble with regarding management and isolated LAN. Seems to be of interest from the posts I've read, but no real answers I've seen, so I am going to start another thread, easier to find related topic for others, with last questions for you. Hope you do not mind...

Very thankful for this discussion. Provided a much greater understanding of many things and overall.

For those reading: As to this specific issue, one that I saw many posts about, but this solution I have not seen:

Just found this under logs-->firewall-->settings. I tested it and worked for the noise. Just don't know if will be losing any other and important logging with it. Looking at default block rules I do not think so, but not sure.

Screen Shot 2021-09-28 at 08.20.10.png

@peter_apiit said in Not able to ssh to outside world (WAN):

connect my company jumphost using ssh

Can you change the settings of this ssh access ?
Change the '22' port to '2222' and you'll be good.

@bob-dig
I temporarily disabled my feed and added reddit.com and www.reddit.com to the DNSBL Custom_List and the website (and others) is still not blocked. (Yes, I did a force update all)

I have tried on different computers on the network and they can still access it.

I have also tried on three different browsers.

I am really confused why some sites are blocked while others are not.

Turns out I need to "sudo" with my dedicated user for the command to work. Like this

sudo easyrule block lan 192.168.1.21

Musste leider feststellen, dass "meine" Lösung wohl nur eine gewisse Zeit funktioniert. Irgendwann scheint es so, dass Windows den "ersten" DNS-Server nicht mehr nutzt und daher interne Namen nicht mehr auflöst.
Habe daher vorerst auf IPs umgestellt.

@jack7076 transparent squid does not work with policy routing. Squid binds to wan. Policy routing is done before it reaches wan

@NOCling @the-other ,

das mit dem VLAN ist ne gut Idee, ich muss mir erstmal den switsch anschauen.
(Ist ein kleiner HP 8 Port Gigabit switch)

Werde mir das auf die todo Liste setzten wenn ich mal wider vor Ort bin.

Wen der VLANs kann werde ich mich ggf. wegen der Konfiguration nochmal melden.

Gruß Peter

edit:
on the SG-3100 I have determined that I did not have the switch ports assigned/enabled to any vlans and after that it gave me DHCP on the lan ports and vlans. however I am still with the issue of some devices getting IP's and some not, on the same laptop over Wi-Fi nothing wired something. My travel AP does not support vlans so it has to be on the base level. and none of my non-Mac computers seem to be getting DHCP. And I don't know what caused it but I managed to crash my old router and ALL INTERNETs last night plugging in the new one to do a test. I went out and bought 4 manageed switches so I could break out all of my VLANs to test, and it was the only ez way to solve ingesting my multiple travel WAN VLANS ( local lan, Wi-Fi, Wi-Fi hotspot, wired LTE modem).

If you set pfBlocker to "native alias" instead of block, that will just create an alias and you can create your own block/allow rules however you want them.

@mickman99 Sorry mal wieder die späte Rückmeldung. Habe jetzt Urlaub und kann mich dem Thema wieder expliziter widmen.

Tatsächlich wird der Präfix einwandfrei auf die Interfaces verteilt und stimmen auch mit dem Präfix mit dem der FRITZ!Box überein. Laut Log der FRITZ!Box wird das verteilte Netz an das LAN Interface auch erkannt und als Exposed Host freigegeben.

Ich vertraue allerdings der Firewall der FRITZ!Box nicht so ganz. Ich richte parallel bei einem Nachbar einen OpenVPN Server über IPv6 ein. Auch dort wird der eingehender Verkehr trotz Exposed Host (natürlich nur zum Test so freigegeben) rejected. Sinn macht das nicht.

Zusätzlich ist bei meiner pfsense das Problem aufgetreten, wenn viele Daten auf einmal verarbeitet werden müssen, dass der interne DNS Server abschmiert. Da habe ich auch die Vermutung, dass es an der FRITZ!Box liegt. Der Log der Fritte verrät da allerdings nicht so viel...

@pfuzer pfsense with pfblockergng-dev and suricata

Hallo Zusammen,

vielen Dank für die vielen Antworten.
Ich werde das ganze am Wochenende mal trennen.
Das macht Sinn ja. :)
Aktuell komme ich nur nicht dazu, weshalb das ganze hier etwas eingeschlafen ist.
Bei einem anderen Peer klappts scheinbar.
Sehe merkwürdig.
Aber ja, trennen macht sinn.

Danke erstmal.

Does anyone have any idea on the implementation of this please?^

@pooperman

there is some issue with SSL handshake:

1.JPG

I'm having the same issue with pfBlocker and NAT rules. I have no issues adding white-list rules for my devices that are on a directly routed subnet. But trying to figure out how to handle an allow rule for an existing NAT rule is causing issues.

Have you found any solution yourself as of yet?