Can't turn off default Deny Private Networks rule
-
I have a wireless router, gateway IP is 192.168.2.1
pfSense WAN IP is 192.168.2.2I also have an Android tablet that gets its IP from wireless DHCP - so, something like 192.168.2.6
Everything is VM on Hyper V and it all works, except I need the tablet to access a server behind pfSense.
The logs say it's blocked by Default deny rule IPv4 (1000000103)
I have disabled default rules on the WAN interface and set port forwarding
Please help?
-
You would have to create a port forward to get to something on pfsense lan..
You can't disable default rules - you can disable logging of them.. You mean you disabled the block rfc1918 rule?
-
That's right. I'm not sure I guess what the default rules are, but don't tell me now! :) I can barely handle what I already know about it.
I disabled the rfc1918 rule and the bogons rule, made the port forward, and created a pass rule in the firewall.
It shows up in the log now; it's somewhat counter-intuitive (to me anyway) that the Destination of the firewall rule is the Wan Address and not the LAN Net.
I still can't hit the VM server from the Android tablet but I'm closer. I think I can thrash around a bit more from here. Thanks for moderating, you're doing great!
-
Lets see your wan rules and your port forward.
Dest would be pfsense wan address because its going to "forward" that it sees to it, to the IP behind pfsense.
-
NAT
interface WAN
protocol TCP
Src Add *
Src Port *
Dest Add WAN Address
Dest Port 50051
NAT IP 192.168.40.3
NAT Port 50051RULES
protocol IPv4 TCP
source alias includes dhcp IPs from wireless router
port *
dest WAN Address
port 50051
gateway * -
NAT source port must also be 50051 apparently; it doesn't get through when set to ANY
-
Do I need a Pass rule on LAN? I tried this but it hasn't worked
protocol IPv4 TCP
source LAN Address
port *
dest LAN Net
port 50051
gateway * -
picture is WAY better dude...
Source of 50051 would be included in ANY ;) So not sure what your thinking..
Post a screenshot!
-
Turns out pictures take too much skill
Yeah, I though ANY would work, but it doesn't get into the logs when I do that. If I put the port number in there it does. go figure.
ok I figured out how to upload a picture. pretty cool.
image url) -
So your port forward is not linked to your wan rule.. Why did you uncheck let it create the rule for you..
And what is the table for your privatewireless? alias?
This is what the rules should look like
Sure you can put in your alias as source if you want.. But really you have boxes on your own network wan wifi that you need to block?
Why did you change this?
-
I can't really be held responsible for what I may or may not have done you see, there's a lot of mystery and confusion over here I have to deal with.
So I need to have a link - now we're getting somewhere. Can you tell me how to do that or point me to docs? I guess now that you've clued me in to that I can maybe find out. Thanks!
-
Or start over and let pfSense do it
-
Right On johnpoz!!!
Android just got a response from the server!
Thank you very much!! You know, it seems like it should be easy, but it's kind of like driving through a new city on a complicated freeway. It's pretty easy to get overwhelmed. Thanks again !!
