Can't turn off default Deny Private Networks rule



  • I have a wireless router, gateway IP is 192.168.2.1
    pfSense WAN IP is 192.168.2.2

    I also have an Android tablet that gets its IP from wireless DHCP - so, something like 192.168.2.6

    Everything is VM on Hyper V and it all works, except I need the tablet to access a server behind pfSense.

    The logs say it's blocked by Default deny rule IPv4 (1000000103)

    I have disabled default rules on the WAN interface and set port forwarding

    Please help?


  • LAYER 8 Global Moderator

    You would have to create a port forward to get to something on pfsense lan..

    You can't disable default rules - you can disable logging of them.. You mean you disabled the block rfc1918 rule?



  • That's right. I'm not sure I guess what the default rules are, but don't tell me now! :) I can barely handle what I already know about it.

    I disabled the rfc1918 rule and the bogons rule, made the port forward, and created a pass rule in the firewall.

    It shows up in the log now; it's somewhat counter-intuitive (to me anyway) that the Destination of the firewall rule is the Wan Address and not the LAN Net.

    I still can't hit the VM server from the Android tablet but I'm closer. I think I can thrash around a bit more from here. Thanks for moderating, you're doing great!


  • LAYER 8 Global Moderator

    Lets see your wan rules and your port forward.

    Dest would be pfsense wan address because its going to "forward" that it sees to it, to the IP behind pfsense.



  • NAT
    interface WAN
    protocol TCP
    Src Add *
    Src Port *
    Dest Add WAN Address
    Dest Port 50051
    NAT IP 192.168.40.3
    NAT Port 50051

    RULES
    protocol IPv4 TCP
    source alias includes dhcp IPs from wireless router
    port *
    dest WAN Address
    port 50051
    gateway *



  • NAT source port must also be 50051 apparently; it doesn't get through when set to ANY



  • Do I need a Pass rule on LAN? I tried this but it hasn't worked

    protocol IPv4 TCP
    source LAN Address
    port *
    dest LAN Net
    port 50051
    gateway *


  • LAYER 8 Global Moderator

    picture is WAY better dude...

    Source of 50051 would be included in ANY ;) So not sure what your thinking..

    Post a screenshot!



  • Turns out pictures take too much skill

    Yeah, I though ANY would work, but it doesn't get into the logs when I do that. If I put the port number in there it does. go figure.

    ok I figured out how to upload a picture. pretty cool.
    0_1552266748441_NATrules.png image url)


  • LAYER 8 Global Moderator

    So your port forward is not linked to your wan rule.. Why did you uncheck let it create the rule for you..

    And what is the table for your privatewireless? alias?

    This is what the rules should look like

    0_1552267174572_portforward.png

    Sure you can put in your alias as source if you want.. But really you have boxes on your own network wan wifi that you need to block?

    Why did you change this?
    0_1552267382034_whydidyouchange.png



  • I can't really be held responsible for what I may or may not have done you see, there's a lot of mystery and confusion over here I have to deal with.

    So I need to have a link - now we're getting somewhere. Can you tell me how to do that or point me to docs? I guess now that you've clued me in to that I can maybe find out. Thanks!



  • Or start over and let pfSense do it



  • Right On johnpoz!!!

    Android just got a response from the server!
    Thank you very much!! You know, it seems like it should be easy, but it's kind of like driving through a new city on a complicated freeway. It's pretty easy to get overwhelmed. Thanks again !!


Log in to reply