How to allow traffic from WIFI network to specific LAN host
-
Hi group,
I can't seem to figure this out: How do I need to configure the firewall to allow access from my WIFI network to a specific host/port in the LAN network?
I am running pfSense in a VM on CentOS 7. In my setup I am using 3 network interfaces: WAN, LAN and WIFI. WIFI is in fact a wired network between my virtual host and my WIFI router. I am using pfSense for DHCP and DNS in my Wifi network.
Now I would like to allow access from any client in my Wifi network to a specific host:port on my LAN. But I can't get it to work.
I based my ruleset on the Example basic configuration (https://doc.pfsense.org/index.php/Example_basic_configuration).
Specifically, I implemented the example "Example setup isolating LAN and DMZ but each with unrestricted Internet access". I configured my WIFI ruleset like the DMZ configuration in the example.So to allow access from the WIFI network to one specific host on the LAN I added the following rule:
Allow any protocol from WIFI subnet to "Single host or alias" <lan ip="" address="">Logging is enabled on this rule. The rule is placed above the rule that blocks all traffic from WIFI to LAN.When I attempt to make the connection from a WIFI client, the firewall log shows a "pass" with a reference to my rule.
However, the connection still does not work: I don't seem to get any response from the host on the LAN.
I captured traffic from a WIFI client to the LAN address, both on the wireless interface and on the LAN interface. On both interfaces I see the same: clients on WIFI send the SYN requests, with many "[TCP Retransmission]" packages, but I do not see any response from the LAN host.From within the LAN network itself the connection to the LAN address works fine.
I would appreciate advice on how I can configure the firewall to allow this traffic?
Thanks!
Regards,
Lucas</lan> -
The WiFi router is actually routing? It won't work like that without static routes, do not do that, absolutely pointless headache.
-
" but I do not see any response from the LAN host."
Well is the lan host running a firewall? Out of the box for example windows machines not going to talk to devices coming from something other than their local network segment.
-
The WiFi router is actually routing? It won't work like that without static routes, do not do that, absolutely pointless headache.
It is routing: all WIFI clients receive their IP address from pfSense. Also, the internet is made available through the pfSense WAN interface and it is readily available on my WIFI clients. Finally, I see traffic coming from my WIFI clients, and the log shows that rule to allow traffic to my LAN clients does so as expected. I just don't get any response from my LAN, already at the first step of the TCP connection.
-
" but I do not see any response from the LAN host."
Well is the lan host running a firewall? Out of the box for example windows machines not going to talk to devices coming from something other than their local network segment.
No, actually is a very simple web interface on my network printer. It does not have any firewall functionality. I can readily access this address from the LAN network.
As a test, I widened the subnet mask in the printer IP configuration, so it would include the WIFI network as well. However this did not make any difference. I am not a network specialist but somehow I would not expect this to be the solution, I think any traffic that is destined at an address outside the local subnet would be routed through the gateway - which is my pfSense box.
-
"y simple web interface on my network printer."
And is there a gateway set on this printer.
-
And is there a gateway set on this printer.
Yes, it has a normal network configuration including IP address, netmask and gateway. I have configured a static IP address.
-
And yet you say its not answering when you sniff.. So how is that have anything to do with pfsense?
So maybe your pointing it to the wrong gateway.. ie not pfsense.
" I have configured a static IP address."
My guess here would be PEBKAC – how about you change the printer to dhcp and see if that works.
Or you traffic your sniffing on lan inteface of pfsense is not actually getting to the client?? But I assume you see a mac? Or pfsense wouldn't be sending the syn, etc. Can you ping the IP of the printer from pfsense?
-
My guess here would be PEBKAC – how about you change the printer to dhcp and see if that works.
Well, isn't any problem essentially PEBKAC? After all, the human species is of a rather flawed design… Well, in any case, my my motto is: it is always better to ask a question that makes people laugh, then to persist in one's own ignorance.
So maybe your pointing it to the wrong gateway.. ie not pfsense.
Obviously this was the case. Recently I had to change the LAN IP on pfSense. It completely slipped my mind. Setting the correct gateway solved my problem.
This is one that I'm not going to forget anymore anytime in the future ;-)Thanks for thinking with me! :-)
-
No not really if there is something wrong with the something that is not the fault of the person in the chair setting up the something.. Then its not pebkac..
Setting wrong gateway - for sure pebkac.. You were on the right track that you were saying you saw the packets going there - but nothing coming back.