No WLAN Administering pfSense Box
-
@johnpoz I agree with you totally. I shouldn't be able to cross interface traffic from my WLAN to my LAN unless a rule is set. I"m running pfSense 22.05 and the WLAN is for my wireless. There are no wireless components on my WLAN connected to my LAN. I don't have anything physically bridged. I just checked a tube video and I have no pfSense interface bridges set; I didn't know you could do that. I haven't edited any files in pfSense.
At one point I did have a computer with 2 nics where I had one nic connected to the LAN and one nic connected to the WLAN thereby bridging the two which is why I had the WLAN rules blocking access to the LAN components. I have since disconnected the LAN nic connection from this computer and it's only connected to the WLAN now. Even though the computer's LAN nic is disconnected and I disabled the WLAN firewall rules blocking access to the LAN components, I can still access the LAN components. When I re-enable the WLAN firewall rules blocking access to the LAN components, I can't reach the components from the WLAN.
Could pfSense be keeping a setting somewhere from this previously bridged computer allowing the WLAN to reach the LAN? Just a thought.
-
@newuser2pfsense please post a picture of your rules on this wlan interface, and do you have any floating rules.
What your saying is just not possible.. There is a piece of the puzzle that is missing.
But as I showed you - the default rules are deny.. It is not possible if the firewall is actually running for traffic to pass through pfsense. Without a rule to allow it, or a previous state that allows the traffic.
Did you clear the states?
When you say you can talk to pfsense to get to lan -- look at the state table - let see the traffic in the state table. if the firewall is running and allowing traffic through it, then there is a state, etc.
If I had to guess you got some rule on floating that is not marked quick and allowing traffic until you create a specific block rule on the interface..
-
@johnpoz I believe it's not possible as well. I have no floating rules entered into pfSense. I reset the firewall state table and tested again and I'm still able to reach 3 of my LAN components by way of my WLAN; seen currently blocked in the below image. (I disabled those three rules when I was testing.) I just saw a double entry for .14, I'll fix that later.
The x.x.2.100 is the computer sitting on my WLAN network that I've been using to see if I can reach my 3 LAN components. The state table below is for this computer (a snapshot in time).
-
@newuser2pfsense well your saying this 2.100 box was talking to some 1.x box at the time you looked at the states - it clearly didn't go through pfsense to get there..
How exactly do you think a stateful firewall allowed traffic through itself without creating a state?
What port are you talking to these devices on your 1 network - you have lots of rules there with allowing traffic.. But again - how did you route through pfsense without a state?? Just not possible when clearly other states are being made.
What makes more sense is your not routing through pfsense.. Lets see a traceroute to an IP an IP in the 1 network..
Example here is my lan 9.100 talking to 2.12
$ tracert -d 192.168.2.12 Tracing route to 192.168.2.12 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 192.168.9.253 2 1 ms <1 ms <1 ms 192.168.2.12 Trace complete.
if I ping this 2.12 you can see a state
-
@johnpoz I made a mistake when I took the state snapshot in time in my above post. In my WLAN rules, I had the 3, .1.x components blocked when I took that state. My apologies.
I have since disabled those rules, used my browser on the 2.100 computer attached to the WLAN to connect to the 3 LAN components with no issues as seen below:
Sorry for the confusion.
-
@newuser2pfsense well no duh you would be able to access those..
This rule allows that.
-
@johnpoz there several block rules for 1.14, 1.15 and 1.16 higher up that should prevent access to those 3 web servers. Not sure why there are no hits on those rules.
@newUser2pfSense Scrap all the rules and start over based off the rules screenshot that @johnpoz or @NOCling posted. Add any additional allow rules & aliases you need.
-
@ahking19 said in No WLAN Administering pfSense Box:
Not sure why there are no hits on those rules.
Because a state had prob already been created.. States are evaluated before rules.
if I have a state from 192.168.2.100 --> 192.168.1.14 on port 80..
Any block rule you create trying to stop said traffic is pretty useless until that state is gone.. Be it times out, be it closed by the client, be it killed by the pfsense admin, etc.
-
@johnpoz said in No WLAN Administering pfSense Box:
@newuser2pfsense well no duh you would be able to access those..
This rule allows that.
Doh, I didn't see that. Geez! I'm a moron! Ok then, so let me ask the question, how should a WLAN rule be created that allows internet access and blocks access to my 3 LAN components using any protocols and any ports given my above listed WLAN rules? As well, create a WLAN rule that blocks administration to my pfSense box on interface 192.168.2.1 which I also use as a DNS IP manually input into each of my computers connected to my WLAN? I'm just not seeing it right now.
-
@newuser2pfsense I already gave you an example of a locked down vlan..
Customize to your hearts content - rules are evaluated top down, first rule to trigger wins - no other rules are evaluated. It not difficult to come up with a set of rules to be very precise in what they allow or don't allow..
For example your block rules before your allow rule accomplished your goal of not getting those IPs, etc. Could prob just be done cleaner, etc..
This rule pretty useless
Something on the wlan net would never send any traffic to pfsense to talk to something else on the wlan net - so what exactly could this rule be wanting to allow where pfsense would be involved?