Firewall LAN rules only works with “single host or alias”

  • Hi there

    I’ve found out a strange thing with my pfsense.
    When I like to open some outgoing ports (80, 25, 110, 21) then only port 80 works when I setup my rule for “LAN net”. All other ports want work. So I need to setup a rule per PC with his own IP-adres and give then all access.

    Proto     Source               Port     Destination   Port    (result)
    TCP        *            *             *      Everthing works on this PC
    TCP       LAN net               *            *            80      PC’s can use internet
    TCP       LAN net               *            *            21      PC’s can’t make ftp connection

    So when I give every PC full-access with its own IP, why should I use a firewall ;-)
    What is wrong with my settings or are there other settings to check?

    Kind regards for your help.

  • Could it be a gateway problem?
    A quick view through your other post indicate to me that you may have tried a lot of things, or are using a good deal of the functions that pfSense provide.
    So following things may be helpful.
    1. Take the time to make a network diagram.
    2. Start using version 1.2.1-RC2
    3. If you have been experimenting, a reinstall can be the right thing to do.

    I’ve found out a strange thing with my pfsense

    4. Sometimes the livecd can be of useful. boot from it and keep the setup as close to default and retest.

  • Do you still have squid installed?

  • Hi,

    I use this version (1.2-RELEASE built on Sun Feb 24 17:04:58 EST 2008)
    Maybe I should install the latest release and start over again.
    The thing is that I use several setups in different schools with different setups.

    Yes, I have installed squid and still like to use it. Can this be the problem?

    Any other suggestions?

  • @fellesnelle:

    Yes, I have installed squid and still like to use it. Can this be the problem?

    If it's in transparent mode it grabs port80 traffic. If not you have to open the squid port (usually 3128, but user settable) to work.

    Why don't you enable logging for your rules and take action on what you find. This is like shooting in the dark.

  • Hi

    I’ve installed version 1.2.1-RC2 to test kind of things before using it.

    First installed pfsense with following configuration:
    “no bridge” mode
    disabled “Default LAN -> Any”
    Added “LAN net” “port 80”
    Added “LAN net” “port 21”

    With this I could pass and block browsing by enable or disable rule of port 80.
    When I tried to use WS_FTP to make an FTP-connection in different ways I always can make a connection.
    (Block the rule, delete the rule even after restarting pfsense)

    After this i’ve added other rules to test things out:
    Added “LAN net” “port 25”
    Added “LAN net” “port 110”
    Everything so far works fine, except blocking port 21.

    Now I’ll try to install Squid and let you know if everything still works.

    Thanks already guys.

  • @fellesnelle:

    Everything so far works fine, except blocking port 21.

    Disable the FTPhelper and you should be able to block this traffic as well.

  • You can set “Disable the userland FTP-Proxy application” on two interfaces.
    LAN and WAN inferface.
    When unset on the LAN interface, I can make an FTP-connection but not “allow” or “block” with a firewall rule.
    After SET this option, I can’t make an FTP-connection.
    This function on the WAN interface make no differences.

    strange, no??

  • Sorry, I'm pushing this every day on my list (and mark this post as unread) but I don't seem to find the time to actually do this test.
    Maybe someone else has more time or an idea?

  • Hi there

    My ftp-problem is solved.
    I had installed a pfsense (test setup) behind a pfsense firewall. So I’ve tried all these settings (with my test setup) and maybe that’s the reason of my ftp-problem.
    I’ve now installed pfsense 1.2.1-RC2 as my basic firewall and it is more stable than before.
    Even after installing Squid, SquidGuard and Lightsquid.

    Thanks to all who was so kind to help me.

Log in to reply