Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Identify downline IP triggering firewall rule

    Firewalling
    3
    4
    284
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      paulnlynda
      last edited by

      I have SG3100 connected directly to the ISP modem. On the LAN port I have a wireless router. All blocked activities logged by the firewall indicate the offending IP as the router's WAN IP. Is there any way to identify the actual user's IP who triggered the blocked activity? That is, do I have any visibility of the router's LAN users?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Not from the firewall in the scenario you describe. The wireless device should be acting as an AP, not a router. pfSense should be seeing the wireless clients directly, and the wireless device should not be doing NAT, DHCP, or anything else but bridging those clients into your network.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • P
          paulnlynda
          last edited by

          Thanks for the quick reply. So once the router creates the new subnet on its LAN, the Netgate box has no visibility there. That makes sense, but I hoped there was some magic that pfSense could do... But no... So for the 3100 to have visibility into the individual users, they all have to be in the same LAN as the Netgate LAN. If I want to monitor everyone's activities, they will have to be on that one LAN subnet. Got it.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            No that is not what he said at all..

            You can have wireless clients on any network/vlan you wan and pfsense would see all the IPs of all the clients. But what you can not do is have some wireless router NATing the IPs... You should be using an AP where the wireless clients are put on the vlan or network the AP is connected to - not natting the clients to its IP.

            A real AP would allow for tagging different SSIDs clients to different vlans, and pfsense would then route/firewall these different networks and see all the individual clients in the different vlans. Once you put these clients behind a NAT device then yes you hide the actual clients IP from the upstream devices. Just like internet only sees your public IP and not your clients 192.168.x.x address for example.

            What Wifi device are you using, what switch(es) are you using connected to your wifi device and pfsense?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.