Firewalling with 2 LAN IF

gerd · Sep 24, 2008, 7:54 AM

hi !

i'm "changed" from openwrt to pfsense and now….. i'm a little bit stuck on firewall setup for my "special" case (i think its not that special as i think)
i have 3 Interfaces (WAN / LAN / OPT1)
LAN has 192.168.62.254/24
OPT has 192.168.63.254/24
WAN get IP via DHCP from my ISP

I setup WAN and LAN (with redirecting etc.pp) and erverything works fine now i added OPT1
for OPT i added same rule as for LAN ( src SUBNET pass all) but
i can ping/reach OPT1 from LAN but not vice versa (even a ping from a host in subnet OPT1 to Address of pfSense Box fails everything is blocked from the firewall => seen in syslog/firewall)
How can i configure that LAN and OPT1 have same "rights" regarding NAT and to each other. ( i read forum at leats 6 hours but without a successfull solution)

I read this in forum:
Every locally connected subnet, whether defined and reachable via a static route or attached to a LAN or OPT interface, will have its outbound traffic leaving any WAN interfaces NATed to that WAN interface's IP.
but in default setting i can't reach pfsense box from OPT1 subnet (ping to OPT1 side of the box fails also any kind of requests (DNS/SSH etc.)

Another point is =>i setup openvpn (everything is fine in log ) do i have to create an accept rule for WAN to accept packets on openvpn server port or is it done automagically ?

ciao gerd

GruensFroeschli · Sep 24, 2008, 7:58 AM

You can look at the firewall log to see which rule blocks your traffic.
Could you provide a screenshot of your rule on the OPT interface?

gerd · Sep 24, 2008, 8:22 AM

yes (in the evening => i'm at work now)
also i'll try to reset to factory defaults first, because i setup pfsense on a alix2c2 and then i changed the box to a 2c3 (and a soekris vpn1411 card)
but i think that has nothing to do with my "problem"

but e.g. i'm shure that i mad a port redirection from WAN port 8080 to pfsense lan ip port 80 and i can get gui from outside.

ciao gerd

gerd · Sep 24, 2008, 7:22 PM

so here we go i setup new all default settings only portforwards i need for function
pfsense-box
lan => 192.168.62.254
opt1 => 192.168.63.254
both with netmask 255.255.255.0
wan is dhcp => cable provider
you can see lan rule opt1 rule any the result when i ping from .61 to .254 (where .254 is pfsense box)
from any host in lan (192.168.62.X) i can reach host .61 w/o problems (ping and telnet)
you see rule for lan and opt1 and the result in firewall logfile
curious is that i have in this log files entry like

Sep 24 21:05:02 WAN 84.57.126.20:62727 192.168.62.4:49500 TCP
but i have a portforward from wan to tcp port 49500 on this machine…

the last picture is that i enabled redirection from external port 8080 to local port 80 this also does not work (or it seems)
the icmp entry before (for ping replies on wan if) works...

GruensFroeschli · Sep 24, 2008, 7:53 PM

The source in the rule on your opt interface is "lan subnet" (think about that).

The rule on your WAN say:
incomming traffic has to originate from port 8080 (very very unlikely that this will ever happen).
If you want to redirect inbound traffic on port 8080 to port 80, create a NAT rule with as destination the pfSense LAN-address

gerd · Sep 24, 2008, 10:30 PM

@GruensFroeschli:

The source in the rule on your opt interface is "lan subnet" (think about that).

yes… and as i wrote i can "go" from lan to opt but not vice versa this is my "main" problem...

@GruensFroeschli:

The rule on your WAN say:
incomming traffic has to originate from port 8080 (very very unlikely that this will ever happen).
If you want to redirect inbound traffic on port 8080 to port 80, create a NAT rule with as destination the pfSense LAN-address

OK go it…. i created a port forward entry for this but this does not work either...

ciao gerd

GruensFroeschli · Sep 24, 2008, 10:33 PM

Hint: what subnet do you have on the OPT1-interface? (it's NOT the lan-subnet) ;)

Could you show a screenshot of your NAT-rule and the corresponding firewall rule?

gerd · Sep 24, 2008, 11:19 PM

@GruensFroeschli:

Hint: what subnet do you have on the OPT1-interface? (it's NOT the lan-subnet) ;)

OMG….... i thought with lan subnet is meant lan subnet of the interfaces ip address.. so you see thinking too much sometimes is a bad idea... (but only sometimes)

@GruensFroeschli:

Could you show a screenshot of your NAT-rule and the corresponding firewall rule?

for 8080 to 80 port "issue" ? for rea screenshot you have to wait until tomorrow evening… (i'm not in the mood to startup vista right now and i'm still a "beginning beginner" with GIMP)
BTW: I have only one portforward rule... maybe bec. i use "Automatic outbound NAT rule generation (IPsec passthrough)" (checkbox is on)
WAN TCP 8080 192.168.62.254(ext.: 77.47.40.227) 80 (HTTP)

thats all

ciao gerd

jahonix · Sep 24, 2008, 11:41 PM

Hey, it's easy, you mixed two things.

NAT is first, rules apply for the translated ports, and:
What is the source port of your office PC seen by pfSense when it tries to access it? It's originating from a natting firewall as well, isn't it?

yna… <-

GruensFroeschli · Sep 25, 2008, 7:55 AM

for 8080 to 80 port "issue" ? for rea screenshot you have to wait until tomorrow evening… (i'm not in the mood to startup vista right now and i'm still a "beginning beginner" with GIMP)
BTW: I have only one portforward rule... maybe bec. i use "Automatic outbound NAT rule generation (IPsec passthrough)" (checkbox is on)
WAN TCP 8080 192.168.62.254(ext.: 77.47.40.227) 80 (HTTP)

For the NAT rule this looks good.
Now the firewall has to look something like:
Sourceport: any
SourceIP: any
Destinationport: 80
DestinationIP: 192.168.62.254

gerd · Sep 29, 2008, 11:10 AM

sorry 4 delay here are the screenshots

1st entry is regular forwarding from wan port 80 to linux server port 80 (this works)
2nd is portforward 8080 wan if to port 80 ip of the pfsense box
or is it possible thta http listen to port 80 and 8080 ?

jahonix · Sep 29, 2008, 12:10 PM

@gerd:

2nd is portforward 8080 wan if to port 80 ip of the pfsense box
or is it possible thta http listen to port 80 and 8080 ?

If you absolutely need your firewall accessible from WAN I'd prefer using HTTPS.
Set your pfSense to listen to HTTPS on 443 or any other port specified and forward/allow accordingly.
You can do so from System: General Setup tab.

gerd · Sep 29, 2008, 12:23 PM

hmmm this is difficult… because i use port 443 tcp for openvpn (port 443 is the only which is accessible from inside our company to outside , except 80 and 8080)
So 80 is used for my linux server and 443 for openvpn => 8080 is the only option.
an option would be (maybe) to run webserver on pfsense on port 8080 but the my nagios complains about missing service :-)

ciao gerd

jahonix · Sep 29, 2008, 12:34 PM

Is your firewall located outside your company???
The port doesn't matter from within and you can NAT ext:8080 to int:443 anyway.

gerd · Sep 29, 2008, 12:57 PM

:-) the firewall here is inside (they use something else) i'm talking about my firewall at home.
The point is that if i want to connect to my lan @ home i have to use port 443 because i'm not working for IT here :-) so i can't change it here (i'm a "normal" user inside our company.
OK you are right with NAT but thats exact i'm trying right now => i'm natting port ext:8080 to int:80 and this does not work (i get a timeout and telneting from outside to port 8080 gives me also ia timeout.

ciao gerd

jahonix · Sep 29, 2008, 2:09 PM

;-) Don't know why I should need to access my firewall at home while at work, but anyway…

How do you access your firewall when local? HTTP or HTTPS?
What's given at: System: General Setup

webGUI protocol  	  HTTP      HTTPS
webGUI port 	
Enter a custom port number for the webGUI above if you want to override the default (80 for HTTP, 443 for HTTPS). 
Changes will take effect immediately after save.

You have to use the same port to NAT to from external.

gerd · Sep 29, 2008, 2:37 PM

the reason why i wann have access to my home is… sometimes i'm out of the country and when wife/and kids have problem with a computer it's easier for me to fix it....
yes http is running on port 80 on the pfsense box.
i made a portforwarding from port 8080 on wan to 80 on pf sense box
other portforwards to my server are working....

ciao gerd

jahonix · Sep 30, 2008, 9:21 AM

If you can connect to your network via OpenVPN already why do you need WAN access to your firewall?
Can't you do this through the tunnel then, using the local LAN IP and HTTP port?

Anyway, that's your personel choice and you will have reasons for it.

Your rules look fine and I can only guess what's holding you from a successfull connect.
Might be that an unencrypted connection is not supported (blocked) by pfSense for security reasons.
I would watch the logs (enable logging for that rule!) and try setting up the GUI for HTTPS, changing the rules accordingly.