Why are rules useless in this firewall?



  • I have a pretty simple setup for load balancing:

    • 2 subnets (10.0.0.0/9) <-> 10.0.0.0 and 10.128.0.0
    • pfSense with 3 NICS, 1 LAN 2 WAN.
    • LAN/WAN on 10.0.0.0 network
    • WAN2 on 10.128.0.0 network
    • arp's suppressed (since LAN and WAN reside on the same network, same broadcast address, makes no difference if it's disabled)
    • squid3 package installed (doesn't make a difference if transparent proxy is enabled or not)

    Here are my rules:

    Aaaaaaaaaand the log after starting a connection which has a specific rule:

    Already tried making the rule more specific and it still goes to the default allow any rule, wtf is going on?



  • If you didn't bridge WAN and LAN then you must use different subnets if you expect routing to work.  Fix that then retest.



  • Bridging LAN and WAN causes pfsense (and my Linksys WRT54G) to hang. Nothing useful shows up on the logs.



  • @Cry:

    …then you must use different subnets if you expect routing to work.  Fix that then retest.



  • So i would need to have LAN on 10.0.0.0 and both WANS on 128.0.0.0 for it to work? Would i need to bridge WAN and WAN2?



  • Can I suggest you do a little reading on what IP ranges you can safely use (RFC-1918).

    You could, for instance, have:

    WAN: 10.0.0.0/24 (network 10.0.0.x)
    WAN2: 10.128.0.0/24 (network 10.128.0.x)
    LAN: 172.17.2.0/24 (network 172.17.2.x)

    Note the key point - each network MUST have a different network address (the number of bits specified by the /24).  If you don't do this and you don't know exactly what you're doing (that is, you're not an expert on IP routing) you'll end up with major routing problems.



  • Thanks for your suggestion.

    I know what i'm doing, the problem is that right now i'm limited to having LAN and WAN on the same network segment, i cannot do it any other way without additional equipment. Since this setup is mostly just for load balancing (which is working fine) there's not a real problem with it not following all the rules to the letter, it's just that it would have been great if it did.

    Only one machine actually uses the specific destination rules i showed on the picture and i've somewhat remedied the situation by setting some static routes on that machine and the routers.



  • Just to provide some insight into this i've pretty much solved my problem in a rather unconventional way.

    I supernetted my network (10.0.0.0/22) which gave me 4 usable subnets on the same big network (10.0.0.1-10.0.3.254). I then assigned subnets to each router:

    Router 1: 10.0.2.0/22
    Router 2: 10.0.3.0/22

    Then i configured each pfsense NIC like so:

    LAN: 10.0.1.0/24
    WAN: 10.0.2.0/24
    WAN2: 10.0.3.0/24

    That way i pretty much tricked pfsense into thinking there were 3 separate subnets when in reality they're spanned across the same network (which pretty much means clients would be able to talk to each other even though they could be in 4 different subnets). Rules started to work after i did this. It's a waste of addressing space but that's not an issue in my environment.

    Also, i suppressed arp's since LAN and WAN are actually on the same router so i'd get like a million messages about that on the log.

    Thanks Cry Havok for giving me a slight push in the right direction.



  • Umm, no, they are 3 separate subnets as you've specified them.  Can I suggest you learn how subnets work - the old class based addressing is long, long, gone.



  • That's what i was trying to say but i phrased it wrong. They are 3 different subnets but to pfsense they can't see each other (/24) even though in reality they can (/22), he's supposed to do the routing between them even though routing is not really needed.



  • If you split a single ethernet segment into multiple segments then the device doing that splitting needs either to be a bridge or a router.  If you don't configure it as a bridge then it must be a router - routing is required.

    I'd suggest you don't know as much about IP as you think you do.



  • I don't think that's right.

    If you have 2 clients using a supernetted class they see each other regardless of a router. They can be on different subnets and be using only a switch to communicate and you will be able to jump from one to the other without a next hop because that happens on layer 2, it's a simple comparison of source and destination IP with their respective masks.



  • You're welcome to think what you want.  Reality trumps your theory in this case ;)

    Can I suggest that you, and anybody who's reading this thinks that you're right, takes the time to read up on how IP routing actually works.  There's a wide range of good articles out there, and some even better books.



  • You have provided no real insight except telling me to read something i already know, which i advise you to read instead.

    Simple example: host with 172.25.16.51 wants to communicate with 172.25.24.101, both having a 255.255.0.0 mask. With this mask there's a single subnet with a host range from 172.25.0.1 to 172.25.255.254.

    Internet Protocol would do an AND operation of both network id's.

    In binary:

    Source ip -> 1010 1100 0001 1001 0100 0000 0011 0011
    Mask ->      1111 1111 1111 1111 0000 0000 0000 0000
    Network id-> 1010 1100 0001 1001
    Host id ->                                  0100 0000 0011 0011

    Dest ip ->    1010 1100 0001 1001 0001 1000 0110 0101
    Mask ->      1111 1111 1111 1111 0000 0000 0000 0000
    Network id-> 1010 1100 0001 1001
    Host id->                                  0001 1000 0110 0101

    Oh surprise, they're the same. IP determines the host is on the same subnet and sends the packet. If they are different then the host arp's for the gateway's address and sends the datagrams his way for it to route.

    The concept doesn't change for what i'm doing. It's not a theory if it's based on something that's documented i'm seeing working right now.



  • What you're not understanding:
    Either you supernet and use a brige. (This is what you desribe with the above post)
    OR
    You use multiple subnets and route. (This is what Cry Havok said in his first answer).

    You cant route and supernet at the same time.



  • Your most recent post, as edited at the time of my reply, is correct.  However you posted that (emphasis mine):

    @hacktek00:

    Then i configured each pfsense NIC like so:

    LAN: 10.0.1.0/24
    WAN: 10.0.2.0/24
    WAN2: 10.0.3.0/24

    That way i pretty much tricked pfsense into thinking there were 3 separate subnets when in reality they're spanned across the same network.

    They're 3 separate networks - the subnet masks make that quite clear.  They are part of the same /22 (10.0.0.0/22), (and the same /8 - 10.0.0.0/8, and the same /1 - 0.0.0.0/1) but that doesn't make them the same network.  If you're still thinking of class allocations (eg class A, class B etc) then stop - that's long outdated and everything works from the subnet mask.



  • Same thing here but thanks ill follow your tips
    jigp
    Davao City


Locked