Firewall rules seem broken



  • Having a real problem setting firewall rules - maybe its because I don't have a clue what I'm doing BUT the result is driving me crazy

    The only way I seem to get a connection is to allow all to all

    If I create a rule to allow WAN to LAN (either net or address) there is no Internet on the LAN NIC.

    If I create a rule -  all to all for the LAN its connected - I have the same problem with VLAN interface.

    I need to understand what is going on here - why is a specific route being blocked and not all to all? Or am I missing something very basic - Can anyone please point me i the right direction?


  • Rebel Alliance Global Moderator

    "Can anyone please point me i the right direction?"

    Maybe if you gave some actual details of your setup and rules.

    "If I create a rule to allow WAN to LAN" Are you trying to do a port forward? Do you have nat disabled?  I can not think of any rule you could put on the wan that would break lan access??

    There is no way to help you without something to actually go off of..



  • Heres my set up (just trying to get my head round it coming from Tomato – ddwrt)

    NAT rule for each interface allow all

    Modem -192.168.2.1/24 PPPoA to WAN dhcp (rule allow all to all)

    LAN 10.0.010/24  (rule allow all to )

    2 OPENVPNs: -OPENVPN_1  OPEWNVPN_2  (rules WAN to individual OPNVPN interfaces)

    3 VLANS tagged /100/ 200/ 300 -VLANS on separate NIC not designated as interface in itself just the VLANS.

    rules allow OPENVPN 1 to VLAN 100

    Allow OPENVPN2 to VALN 200

    Allow  WAN to Clear_NET VLAN 300 (attempt to make VLAN 300 clear connection to ISP)

    The problem is this – If the LAN rule is changed to specific rule allow WAN to LAN there is no connection to the internet – if left as all to all its fine

    If any for the VLANs are changed to allow all to all there is a connection (not the right one but a connection)

    IF its set to only allow from WAN to VLAN 300 (for example) - nothing


  • Rebel Alliance Global Moderator

    "Allow  WAN to Clear_NET VLAN 300 (attempt to make VLAN 300 clear connection to ISP)"

    What???

    Post up screenshots of your rules…

    "If the LAN rule is changed to specific rule allow WAN to LAN there is no connection to the internet"

    Why would you change something on lan to allow wan?? Rules are evaluated on the interface the traffic enters pfsense on.  Top down first rule to trigger wins no other rules are evaluated.  Traffic from wan would never enter your lan interface so what would be a point of rule there to allow traffic from wan in?



  • I don't really have much idea here of what it should be doing

    I thought that the internet comes I on the WAN and gets allowed on the the LAN by the rules on WAN and LAN (I'm confused here)
    So created a rule on WAN to allow WAN to LAN

    Then on the LAN created a rule to allow LAN to see the WAN

    I apologize for being so dumb on this – it was ok just with regular single internet or even one VPN running – but when trying to route clear net ands 2 OPENVPNs to 3 VLANs I'm totally out of my depth











  • Rebel Alliance Global Moderator

    Pretty much every single one of those rules is pointless..  Other than the default rules.

    What does clear net mean?  You mean this traffic is not natted?  Its a network segment that is routed to you over a transit network?

    Rules are evaluated as they enter an interface.. Ie as traffic from lan enters lan interface you look at each rule from top down, does that traffic match that rule - then it wins and all other rules on that interface are not evaluated.

    Return traffic is allowed because a state is created when the originating traffic was let out.  Which is why you do not need a rule on say the wan to let the answer back in.

    What exactly are you trying to accomplish and what is clear net?  What sort of IP do you get from this and from where?  Are you wanting to have this network behind pfsense, are you wanting to route it through pfsense?  Is pfsense going to nat it?

    your openvpn1 rule for example on that interface is saying that pfsense IP address on that interface can talk to itself - when would that ever ever ever happen?

    Your wan rule says that an IP in the wan network?  Which is what exactly?  These would only be IPs that fall into the network mask on your wan IP.. Not the internet can talk to pfsense LAN IP address..  When would that ever ever happen?  Did you create a port forward to send traffic to the lan IP of pfsense?



  • The outside world internet (fixed ip from ISP) comes in to the pfsense WAN from modem with authenticated PPPoA session

    What I would like to do is route 2 separate. OPENVPN connections  and the outside clear internet (as it comes from the ISP) onto 3 separate VLANs which can be distributed by ethernet via a VALN enabled switch and a wireless AP sending out 3 VLANs on separate SSIDs

    Does that make any sense?

    I've obviously got the completely wrong idea of how to organize this – which is why I'm not getting anywhere – apologies for my stupidity!


  • Rebel Alliance Global Moderator

    Ok so these vpn connects are connections pfsense is connecting to as a client?  They are site to site connections to pfsense?

    As to clear internet.. Still confused to what this is?  You say you get a public IP from your isp.. Ok lets call that 1.1.1.1..  Is clear net suppose to be say me trying to connect to you from the public internet.  Or is some other IP / network you get from your isp?

    So you want 3 networks behind pfsense… So lets say 192.168.0/24, 192.168.1/24, 192.168.2/24 -- do you have any other networks?  Do you have say a lan?

    So on your openvpn connections.. You want inbound traffic to go to something in one of your networks behind pfsense?  Or do you want say everything that is using 192.168.1/24 behind pfsense to go out to vpn1 connection, and everything on 192.168.2/24 to use vpn2 connection..

    And then say 192.168.0/24 to just go out the internet connection you get from your isp, not use a vpn..  This is what your calling clear net?  This is not some other network you get from your isp..

    So you have this..




  • Sorry for making it confusing

    I think your diagram is right – Although your diagram seems to put the VPNs outside for the Pfsense box? -  I'm just at a loss as to how to enable it

    The LAN is static on 10.0.0.10/24 with dhcp

    The ClearNet is just the connection coming from the ISP – public IP address which I want to route to say VLAN 300 on a address of 10.06.1/24

    The other OPENVPNs (2 of them) ( both clients in pfsense openvpn) I want to go to VLAN100  (10.0.4.1./24)  and VLAN200 (10.0.5.1/24) They are UDP TUN connections – Peer to Peer SSL/ TSL

    The result I would like is anything connected to VALN 300 only has the internet as it comes from the ISP

    Anyone connected to the the other 2 VLANs should get the respective OPENVPN Client address and connect through the OPENVPN depending on which VALN they are connected to. And additionally the connection to the outside should die if the VPN connection fails and not return to the ISP address


  • Rebel Alliance Global Moderator

    So are you vpns something you setup on pfsense and clients are inbound to you from the internet.  Or is the vpn something your connecting to from pfsense, like a vpn service?  Many people like to setup say PIA as vpn service and then route say their torrent boxes through that, or use a vpn to circumvent say netflix geo restrictions.

    So your saying you have a vpn server setup on pfsense.  You have 2?  Or just vpn listening on say tcp and udp?

    "The other OPENVPNs (2 of them) ( both clients in pfsense openvpn) "

    If your setting connections as clients in pfsense - then those would be outbound to say a service or a site to site sort of connection.  Your devices behind pfsense that are using a openvpn client connection in pfsense would still get an IP from pfsense, they wouldn't get a IP from your vpn service.

    " I want to route to say VLAN 300 on a address of 10.06.1/24"

    So you have 4 networks behind pfsense? You say your lan is using 10.0.0/24 – where do you want that to go for internet?  You have your public internet, your 2 vpn connections..  Where else could it go?  So your lan has to use either your isp public IP, or it has to go through 1 of the vpn connections.

    You could have as many network segments/vlans you want behind pfsense.  What connection they use for internet would be based upon policy routing.  So they either go out to internet via just your isp IP they give you.  Or they route through a client vpn connection pfsense has.  Pfsense would still assign all the IPs behind pfsense no matter what segment/vlan they are on.  You would then either nat their outbound connections to your public IP from your ISP or you would nat it to the IP you get from your vpn connection you setup in pfsense openvpn client.

    So see in this example.. I have a vpn client connection to one of my vps (just like vpn service you would pay for)  This is assigned to another interface I call ns1vpn.  The client connection gets a 172 address from the vpn connection.  I then do an outbound nat to this, currently limited to my lan network of 192.168.9/24 I have no use for any of my other segments to use that connection.  Now normally my lan goes out my normal isp connection.

    But if I want I create a rule on that lan that says go out the vpn connection - see image 2 attached.

    So if I enable that rule, my device on my lan with IP 192.168.9.100 would go out my vpn connection and to the internet it would look like it came from that vpn server with the 209. IP address.






  • Thanks so much for your help and patience dealing with a simpleton!

    I'll attempt to follow your advice.

    My VPN interfaces have none for IPv4 config type – is that ok or should it be static?

    Hopefully to get:

    The LAN should get its internet connection (public IP) from the WAN

    The VPNs are Pfsense client connections to OPENVPN service (to avoid Geo restrictions)

    Result should be LAN NIC has internet address set by ISP

    VLAN 1 has connection  from VPN via Pfsense client

    VLAN 2 has connection from 2nd VPN client from Pfsense

    VLAN 3 has connection from internet direct from ISP



  • Rebel Alliance Global Moderator

    Ok what I would suggest you do is get your lan side networks working..  Then worry about routing them out your vpn connections.

    So can all your networks get out via "clear" internet..  Your lan and 3 vlans?



  • Again many thanks for your help!

    I'm out of town at the moment and can't get access to my network but from memory my network is set with a wireless AP (unifi lite) running at the moment off the LAN NIC. When a VPN client is running the LAN gives out the client VPN address

    That is OK temporarily but as if the VPN dies the LAN goes back to ISP address (not good for Netflix) which is why I was trying to have 2 vpns and a "clear" net on one wireless AP

    The unifi AP has its own problems using the controller (I've found) on a pfsense NIC but that's another story.

    Anyways, thanks again and I will report back when I get back in a few days


  • Rebel Alliance Global Moderator

    I have no idea what problem your having with AP and pfsense nic.. Why would your AP just not be plugged into your switch??  Do you have a vlan capable switch.. How are you doing these other local networks that you want to route out different connections..  They are all on the same lan?



  • The unifi ap is only being run on the lan nic at the moment putting out one ssid to test its operation and range. This is fine mostly but does have a habit of sometimes losing its way (becoming disconnected or unadopted by the controller and then is offline - I think it's due to not having unifi routers and switches and the fact it requires a controller to function, but that's another issue.

    I'm just testing the AP on the LAN at the moment. Later when I get the VLANs sorted it will be on a netgear vlan enabled switch.
    The VLANs are to be tested via a notebook tagged vlan wired connection to eliminate any errors that could be due to the AP and or any incompatibility.

    I have noticed that Pfsense are selling routers with unifi APs for wireless connection - I'd be very interested in seeing how they cope with the controller software - is it an add on within Pfsense?

    I've been relying on what information I can find on setting up pfsense as I'm merely a user and not at all competent in what I'm trying to do. Especially coming from consumer plug and play and then ddwrt hacked consumer equipment. So I'm really grateful for any assistance.


  • Rebel Alliance Global Moderator

    I run multiple unifi AP in my home setup.  I just run the controller on a VM.. You don't actually need the controller unless you what the info it gives, or run its captive portal, etc.

    So you have your AP plugged into your lan nic, where are you running the controller?  You sure do not need unifi switches/routers and stuff to run the AP.

    There was some guides somewhere on running the unifi controller software on pfsense but I would not recommend such a thing.  I guess if was an approved package from pfsense then sure.  But until it got a blessing from the pfsense team I would just run your own controller.  They do sell a little key to run it on if you want for like $80, or you could run it on a raspberry pi.

    As to having a backup vpn incase your first vpn connection goes offline.  Ok, but if what your wanting is to just keep it from going out clear when the vpn goes down that is easy enough to setup via just your firewall rules.  If the only rule you have is to send it out the gateway (vpn connection) and that connection is down then that client wouldn't have internet connectivity is all.

    BTW where are you seeing that pfsense is selling routers with unifi as option?  The unifi stuff is highly recommended by many here on the board, but I don't see - atleast last I checked the pfsense store did not have this option.



  • The Pfsense box is https://store.pfsense.org/SG-4860/ with wifi option of unifi APs

    At the moment I've got a controller on the Linux notebook I'm using to test the system so it's not on all the time which is probably why that can be problems and why I get a disconnect with the unit going into 3sec blue flashing and going off line
    Also have the iPhone ap which accesses the AP but not sure that it counts as a controller.

    I'm still learning and only have experience of running a VM to run dos and old win 3 apps on Linux

    I had thought that I'd maybe be better off with an AP that would run without a controller and just had a web accessible interface like my modem.


  • Rebel Alliance Global Moderator

    Nice – seems they pulled all the wifi addon cards and only providing external AP now... Finally I think that is a great direction to be honest.  They point to all unifi stuff for warranty, support, firmware, etc..  So most likely your just on your own to run controller.  I don't really see it being an official addon/package/addition to the pfsense distro.

    If you don't have experience with vm, I would prob suggest you pick up their cloud key. https://www.ubnt.com/unifi/unifi-cloud-key/

    That is going to be the simple solution to running the controller..  No the ios app is just set it and forget it sort of thing.  But the AP do not have to talk to the controller to work.. Your blinking lights.. how is it flashing?? what is the exact pattern you sure it just wasn't updating firmware?  You can view what the blink patterns mean here https://help.ubnt.com/hc/en-us/articles/204910134-UniFi-What-do-the-LED-Color-Patterns-Represent-for-UniFi-Devices-

    You know you could just run the controller on your normal use pc, fire it up when you want to change something and just shut it down.  Or just the app for your phone works too - all you need the controller for is extra features and tracking clients and bandwidth they use, etc. I really love having the information the controller provides 24/7 so that is why I run it.  I don't use their captive portal or anything.  Or there guest network, I just put the different ssids on different vlans and handle that with pfsense.



  • @johnpoz:

    I don't really see it being an official addon/package/addition to the pfsense distro.

    Redistribution isn't permitted, otherwise it's something I would have considered.