How do I disable antispoofing on my LAN Interface



  • Hello,

    I have been looking for a coulple of days now for a reason why my dd-wrt access point in router mode will not access a server on a pfsense box not directly connected to it. I can ping it but I can not access any thing on that network. The topology is as follows.

    DD-WRT -> Pfsense2 -> Pfsense1 –----> Pfsense3 box -> LinksysAP

    I can access pfsense3 box from dd-wrt which goes through pfsense1.
    I can access pfsense2 from LinksysAP.

    I have narrowed the problem to pfsnese2's firewall (Even though it knows about the route to DD-WRT it will not allow any traffic from pfsense1 to pfsense2, if I turn the firewall off and use it just as a router it works. I think it has something to do with antispoofing but I can't figure out how to turn this feature off. When I edit the /tmp/rules.debug file it always get re-written back to, what I assume is the rules in memory. I am windows guy so I am very green in BSD. If anyone can point me in the right direction I would really appreciate it.

    Thanks,

    P.S. This would be a nice little check box feature to turn this feature off if you don't want it on. Also all my routers are using RIP v2 and all my routing tables are correct. I'm 95% sure it is this spoofing feature.



  • Have you unchecked the checkbox: "Interfaces –> WAN --> Block private networks" ?



  • Thanks for the quick reply.

    No I didn't do that because the problem that I'm having is on my interneral interface (LAN). I did try what you suggested and it didn't work. I'm pretty sure that antispoof is my problem. Also I did an pftop from the command line and saw that there are two rules blocking private ip [172.16.0.0 - 172.31.255.255] and also [192.168.0.0 /16] addresses on that interface. I i'm think since I set up a rule to allow traffic from that LAN the network it knows about in the config file can get through. For some reason routed networks on the same LAN segment it thinks are spoofed packets. I just need to figure out how to manually change rules from the command line. And have them apply in pfSense rules.



  • Dont fiddle around on the command line.
    Can you show screenshots of the rules on the pfSense2 (WAN and LAN).



  • Here is my wan rules:

    Here is my lan rules:



  • Okay here is what I'm seeing in my firewall logs when ever I try to access something on my pfsense1 box from AP off of pfsense2 box. Seems the problem is the traffic coming back in, on the shared interface of pfsense2 box going to a ap which is routed off the LAN interface of pfsense2.

    Here is the what the rule is saying:

    And here is the information from the debug file that I think is causing this issue:



  • Wait you have two subnets on the same interface?
    You could try to enable "Bypass firewall rules for traffic on the same interface" under advanced.



  • Yeah, I was thinking the same thing, but the reason I am doing this instead of just NATing my AP is so that I have granular control of all host on the AP, besides if I'm using RIP, PfSense should now about the networks it's connected to and allow traffic to flow. Or is my thinking not right. Besides when I turned on that option to by pass firewall rules on LAN traffic it still didn't work.



  • I think I solved my own problem. In order for my subnets, not directly connected to the pfsense box to go out on the internet. I had to turn off automatic outbound nat to access the internet, but this caused problems with local subnet routing. In order to solve this I just turned all my access point to bridges, and turn back on automatic outbound nat. Thanks for everyones help.


Locked