bothersome firewall, what's going on?

r3g3x_abc

Hello all,

it my first time on this forum, so i didn't go deep into the rule, so sorry if i break one of them.

OS: freeBSD 11.3-STABLE
pfSense: 2.4.5-RELEASE (amd64)

I have pfSense as a standalone VM on my proxmoxVE, i try figure out why, every time a new one adds an interface and I turn it on, it automatically turns on the firewall on all interfaces. When the firewall is turned off, the hosts have no problem communicating in both directions.

I turn off the firewall with "pfctl -d", when I turn it on using "pfctl -e" there is no communication. It makes sense to me, but why does it cut all my traffic when I turn on the new interface? even to webGUI

The above problem implies that every time my traffic disappears, whether to the web gui or to the network interface, I have to turn off the firewall

with each single change in configuration, the firewall is turned on. It's exhausting

Cool_Corona

@r3g3x_abc HAHAHAHAHAAHHAAHHAHAHAHAAHAHAHAHAH

r3g3x_abc

@cool_corona

Do you have something smarter to say? :) if this is all your knowledge, then you are a pathetic man :)). I know the importance of a firewall and will be on. In this case I do not understand why at every change I cut all traffic management. For completeness, I will add that I have been using pfSense for 3 days. So f ** k off

chpalmer

@r3g3x_abc

with each single change in configuration, the firewall is turned on.

Yes. That is because the config is telling it to do so.

Maybe you need to explain your intentions a little more.. Im assuming you are just attempting to route between interfaces without the use of the firewall function..

pfSense is designed to be administered via the GUI. Command line options do work but can at times be confusing if you are not familiar with the setup and structure.

Go to System / Advanced / Firewall & NAT and down to "Disable Firewall" and click the box. Easy peasy if that is what you really want.

Otherwise make sure you have the correct firewall rules in place. By default the only interface that will have a pass rule is the LAN interface when you first set up. It is easy just to copy that rule and then change the interface on the "edit" page and save for each new interface.

Cool_Corona must be off his meds again..

r3g3x_abc

@chpalmer said in bothersome firewall, what's going on?:

That is because the config is telling it to do so

I completely understand that, this is not my first virtual router ;), but usually I configured physic router eg. cisco 2811.

I'm sure I'm doing something wrong, but maybe from the beginning.

In my case, the WAN interface is configured first (everything is ok at this stage) only then, when it adds a LAN interface (which works in a different subnet), the firewall starts blocking everything, even the WAN interface (which disturbs me a lot in my navigation after the "web GUI"). I understand the operation and purpose of a firewall, but I have never experienced such behavior.

chpalmer

@r3g3x_abc said in bothersome firewall, what's going on?:

@chpalmer said in bothersome firewall, what's going on?:

That is because the config is telling it to do so

I completely understand that, this is not my first virtual router ;), but usually I configured physic router eg. cisco 2811.

In my case, the WAN interface is configured first (everything is ok at this stage) only then, when it adds a LAN interface (which works in a different subnet), the firewall starts blocking everything

When setting up the pfSense on a piece of hardware one can begin with just one interface which will be set up as "WAN". The firewall will not be on. Once you add a LAN interface then by default the system will enable the firewall on the WAN.

By default during initial setup phase if you enable a WAN and a LAN interface the LAN interface is set up with an "Allow All" rule. The WAN will have no rules and therefore will block all incoming unsolicited traffic. LAN will work. Are you saying that your LAN with an allow all default rule is not passing traffic out the WAN?

r3g3x_abc

@chpalmer

I am not sure if I understand correctly, but when I have enabled (with DHCP addressing) only the WAN interface works, but when I add a LAN interface, the firewall turns on on all interfaces and blocks all traffic to the pfSens machine. Then from CLI I have to use "pfctl -d" and everything starts to work.

Below I present my architecture (it's something really simple), so my surprise is even greater

chpalmer

@r3g3x_abc

Can you do some screenshots of your firewall rules? WAN and LAN.

This page.. or
/firewall_rules.php?if=lan specifically show an interface you are having problems getting traffic into.

r3g3x_abc

@chpalmer

sure, i just need to get the snapshot machines back to their original configuration

chpalmer

@r3g3x_abc

This rule will pass everything. You are configured this way and still having problems then there is another issue somewhere.

Im running south for a couple of hours and will check back later.

r3g3x_abc

@chpalmer
for WAN:

Now I enable the LAN interface (as expected, the firewall has turned on) and disable the firewall. The state of the interfaces is now as below

For LAN:

r3g3x_abc

@chpalmer

I think I understand now. The fact that the LAN interface is in a different subnet additionally confused me (the device from which the connection is in a different subnet, and I use a transfer station)