Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Second LAN firewall advice?

    Firewalling
    3
    3
    416
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      Nerumph
      last edited by

      Recently, I have been working on bit of a pet project for a client which is currently requiring the use of two LAN networks (two separate NIC connections on the server) in order to retain network security. One network will essentially be for internal DMZ server connections, while the other will be for wireless connectivity and eventually guest (wired) terminal access.

      Currently, I cannot get past the hurdle our firewall seems to be setting up for us. From my knowledge of the PFSense firewall, rules are per interface, based upon what traffic comes in to that interface, and is taken in order from top to bottom.

      Currently, as our system is mainly in test mode, we have only one, very general "pass all" rule, similar in nature to the allow all to LAN rule in place on our second wireless subnet interface. However, despite this very broad and general rule, we have found that only HTTP/HTTPS requests are seeming to get through. Specific protocols and ports we've been trying include SIP/UDP traffic, ICMP diag, and all of ubiquiti's unifi management ports (required for the access points we're using).

      Firewall rules are as follows:

      protocol: any
      IPV4/IPV6: IPV4 (we don't use IPV6 on our network)
      source: any
      destination: any
      port range: any-any

      Any help would be appreciated here. I've been kind of at a loss here in terms of why a wildcard rule would not be enough to pass traffic on this subnet.

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        Hi,

        See image (is my LAN interface, but for OPT1 it will do just fine. replace LAN for OPT1.

        But : my "source" isn't "any" but "LAN-Net"  - in your case : "OPT1-net" where OPT is the name of the interface.
        I'm using IPv6, so it's present also.

        I guess your UDP traffic does work, because … DNS works for devices on OPT1, right ?  ;)
        I guess you could also SSH into pfSense with this simple pas-all-rule from a device that is hooked up this interface.

        Btw : just to be sure :
        Your LAN is something like this 192.168.1.1/24 (the defualt, because it works so well with this network)
        and your OPT1 interface has something like this : 192.168.2.1/24


        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • L
          lcbbcl
          last edited by

          https://doc.pfsense.org/index.php/Example_basic_configuration
          This can help,i am in the same scenario like you,and i might start to understand something.Are so many ways to do something(sometimes google will make you more crazy),thats i can't distinguish how its the right way.
          This is my LAN, i force to use DNS from pfsense(unbound)  and redirect HTTP/HTTPS trafic to webproxy in transparent mode.
          https://ibb.co/mrCLE6

          1 Reply Last reply Reply Quote 0
          • First post
            Last post