4. No access to OPT1 from any interface

No access to OPT1 from any interface

  • M

    I am having issues getting Opt1 interface to work properly. I have setup the Rules (listed below) to allow access in and out of that interface from the LAN and VPN interfaces. I go to Diagnostics > Ping and try to ping something, Opt1 is the only interface that I am able to ping from and get a response. This firewall is at another location and I am using the VPN to access the LAN network without issues. If I ping from the LAN net to Opt1 network, I get nothing. If I ping from VPN to OPT1, I get nothing. OPT1 does not seem to have access to WAN (Internet) interface either.

    I have looked at this over the last several days, googled and tried everything I can find and still can not seem to get anywhere. What am I missing?

    Rules:

    OPT1
    IPv4 * * * * * * none Default allow OPT1 to any rule

    OpenVPN
    IPv4 * * * * * * none OpenVPN VPN wizard

    LAN
    IPv4 * LAN net * * * * none Default allow LAN to any rule

    NAT Outbound is Manual

    0

  • Hi,

    When you change/add/remove firewall rules on an interface, it should work right away.
    But : when you work with interfaces, I advise you to restart the VPN.

    Btw : the openvpn firewall rules accept ICMP traffic ?

    Because you are working over VPN, I advise you to lower the risk to be locked out : open temporary a ssh - or even GUI - access on WAN, so you can login whatever happens. Then restart VPN. When all is ok, remove these entries.

    0
  • LAYER 8 Global Moderator

    @gertjan said in No access to OPT1 from any interface:

    When you change/add/remove firewall rules on an interface, it should work right away.

    Don't forget about existing states.. You may need to kill any states that were allowing the traffic you are now wanting to block.

    If you can ping the opt1 interface IP from lan but can not ping stuff on the opt1 network - you sure its not their firewall on whatever it is your pinging. Also are they using opt1 IP of pfsense as their gateway to get back to you. I would sniff on the op1 interface and validate you send the traffic out to whatever it is your trying to ping.. If you see pfsense send it on, and get no answer that screams firewall on the device.

    0
  • Netgate Administrator

    So what IS working here?

    Do you have DHCP enabled on OPT1? Are clients pulling a lease from it?

    With outbound NAT in manu7al mode you will have to add outbound NAT rules for the new OPT1 subnet.

    Do you see any alerts in the GUI? It may be failing to load the new ruleset correctly. You should still be able to ping from LAN to OPT1 though even without any new rules.

    Steve

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy