Second LAN firewall advice?

  • Recently, I have been working on bit of a pet project for a client which is currently requiring the use of two LAN networks (two separate NIC connections on the server) in order to retain network security. One network will essentially be for internal DMZ server connections, while the other will be for wireless connectivity and eventually guest (wired) terminal access.

    Currently, I cannot get past the hurdle our firewall seems to be setting up for us. From my knowledge of the PFSense firewall, rules are per interface, based upon what traffic comes in to that interface, and is taken in order from top to bottom.

    Currently, as our system is mainly in test mode, we have only one, very general "pass all" rule, similar in nature to the allow all to LAN rule in place on our second wireless subnet interface. However, despite this very broad and general rule, we have found that only HTTP/HTTPS requests are seeming to get through. Specific protocols and ports we've been trying include SIP/UDP traffic, ICMP diag, and all of ubiquiti's unifi management ports (required for the access points we're using).

    Firewall rules are as follows:

    protocol: any
    IPV4/IPV6: IPV4 (we don't use IPV6 on our network)
    source: any
    destination: any
    port range: any-any

    Any help would be appreciated here. I've been kind of at a loss here in terms of why a wildcard rule would not be enough to pass traffic on this subnet.

  • Hi,

    See image (is my LAN interface, but for OPT1 it will do just fine. replace LAN for OPT1.

    But : my "source" isn't "any" but "LAN-Net"  - in your case : "OPT1-net" where OPT is the name of the interface.
    I'm using IPv6, so it's present also.

    I guess your UDP traffic does work, because … DNS works for devices on OPT1, right ?  ;)
    I guess you could also SSH into pfSense with this simple pas-all-rule from a device that is hooked up this interface.

    Btw : just to be sure :
    Your LAN is something like this (the defualt, because it works so well with this network)
    and your OPT1 interface has something like this :

    This can help,i am in the same scenario like you,and i might start to understand something.Are so many ways to do something(sometimes google will make you more crazy),thats i can't distinguish how its the right way.
    This is my LAN, i force to use DNS from pfsense(unbound)  and redirect HTTP/HTTPS trafic to webproxy in transparent mode.


© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy