No Internet connection rule but still pings in dignosis tab
-
@viragomann then ping function looks useless (not completely). If it can ping on from all interfaces to 1.1.1.1, then I have internet on all and it is unifi switch issue (safe to assume)?
Is it something to emulate to make sure rules works as intended without having any device connected. I am remote and just trying to solve issue if possible.
-
@pirateparley
This only means, that the ping function in the Diagnostic menu is not a suitable instrument to test the firewall rules.Use a machine in the respective network segment to check out if your rules work properly.
-
@pirateparley said in No Internet connection rule but still pings in dignosis tab:
@viragomann then ping function looks useless (not completely). If it can ping on from all interfaces to 1.1.1.1, then I have internet on all and it is unifi switch issue (safe to assume)?
Is it something to emulate to make sure rules works as intended without having any device connected. I am remote and just trying to solve issue if possible.
Rules are evaluated on the interface from the network connected to that interface.
So your rules, which the middle one is useless if the alias is what I think it is, stop anything connected to the camera interface only. the interface itself is pfSense.
Plug a pc in the that interface and see where you get.Also, the bottom rule is not needed since there's already an explicit "block All" rule. You can't see it, but it's there.
In fact, all of those rules are useless. Delete them all and you have the same thing. Depending on what that alias is of course.
-
@jarhead said in No Internet connection rule but still pings in dignosis tab:
Depending on what that alias is of course.
Doesn't matter to be honest.. Those are all just block rules - as is they are pointless, only if some allow rules added could having them make any sense depending on order.
The only thing they might be used for is they are not set to log, so any traffic those rules block would not log.. But if that was what was trying to do only rule needed would be the last one..
As mentioned testing from pfsense diagnostic ping is not a way of validating firewall rules..
-
@jarhead said in No Internet connection rule but still pings in dignosis tab:
@pirateparley said in No Internet connection rule but still pings in dignosis tab:
@viragomann then ping function looks useless (not completely). If it can ping on from all interfaces to 1.1.1.1, then I have internet on all and it is unifi switch issue (safe to assume)?
Is it something to emulate to make sure rules works as intended without having any device connected. I am remote and just trying to solve issue if possible.
Rules are evaluated on the interface from the network connected to that interface.
So your rules, which the middle one is useless if the alias is what I think it is, stop anything connected to the camera interface only. the interface itself is pfSense.
Plug a pc in the that interface and see where you get.Also, the bottom rule is not needed since there's already an explicit "block All" rule. You can't see it, but it's there.
In fact, all of those rules are useless. Delete them all and you have the same thing. Depending on what that alias is of course.
You are right, if I rethink about rules, it is. I was wondering what if someone plug directly to port, but again that is vlan and don't really need that.
I wanted to access Camera from my MAIN LAN and other physical LAN, I thought, I will need that if I want access camera web UI. I didn't put any rules yet to allow access to web ui and.. I hope I am making sense
-
@pirateparley said in No Internet connection rule but still pings in dignosis tab:
I hope I am making sense
No not really. You don't need any rules on the camera interface to access the camera network/vlan from other networks, ie your lan - the lan rules would determine if you can access anything on the camera network.
Only thing that can be tricky with some cameras is some of them do not have gateways, so you can not actually access them from another network, unless you do source natting.. So the camera thinks the traffic is from their local network vs some other network.
This is done on outbound nat tab if that is something you need to do.
-
My guess is that traffic through the firewall is subject to rules inspection NOT traffic sourced from the firewall. Granted that's not how other routers/firewalls behave but that seems to be the behavior of pfsense in this case.
The best way to test is to have your clients/cameras use the internet. Does it work? -
@michmoor I can't test till I go to place physically in three days. Yesterday, it was't getting no internet on any of LAN interfaces, so today morning I am trying to cross out pfsense as issue (I can VPN to pfsense). Unifi switch is offline on controller so I can't making any changes. My unifi AP able to ping 1.1.1.1, but devices connected to wifi isn't getting internet, so I believe now it is network setting issue in unifi controller, but switch is offline on controller even though AP connected to that switch is visible on controller.
-
@johnpoz said in No Internet connection rule but still pings in dignosis tab:
@jarhead said in No Internet connection rule but still pings in dignosis tab:
Depending on what that alias is of course.
Doesn't matter to be honest.. Those are all just block rules - as is they are pointless, only if some allow rules added could having them make any sense depending on order.
The only thing they might be used for is they are not set to log, so any traffic those rules block would not log.. But if that was what was trying to do only rule needed would be the last one..
As mentioned testing from pfsense diagnostic ping is not a way of validating firewall rules..
Might point was I'm betting that alias is the camera network itself.
@pirateparley Can you show us the alias?
-
-
@pirateparley A ha, I was wrong. That's all your other networks.
Yup, not needed either if all you're doing is blocking everything.
No rules will accomplish that. -
@jarhead Thanks. I understand now little more. So to sum up, inbound is open by default if I am accessing from other interfaces and outbound block if there is no rules even internet and other interfaces.
-
@pirateparley said in No Internet connection rule but still pings in dignosis tab:
so here is that alias if you really insist.
If you specify the alias type "Network" you should state real network addresses.
None of your entries is a network address.
Instead of 10.1.2.1/24 enter 10.1.2.0/24 and change also all others ot x.0/24. -
@pirateparley said in No Internet connection rule but still pings in dignosis tab:
inbound is open by default
Seems like your confusing terms.. if traffic is leaving pfsense interface on network X, that is not inbound to X, that is outbound from pfsense.. egress..
If you want to understand direction ingress or egress (inbound or outbound) - then pretend pfsense is a house and your standing in the middle of it... And the interfaces are different doors, the front door, the back door, etc..
"inbound" is not open by default, the default is deny.. Pfsense only checks traffic inbound into pfsense normally. Guy shows up and knocks on your side door (lan) and says hey I want to go to the back yard (connected via the back door)... Do the rules on the side door (lan) say he can do that.. Then he can.. You don't again check traffic as he tries go out the back door into the back yard.
Not unless you created a floating rule and direction was outbound.
Understanding traffic flow is not difficult and quite intuitive when you stop thinking of traffic flow as a device, and look at traffic flow in perspective of the firewall.. The traffic is either inbound into pfsense through the interface... Or its outbound from pfsense into the network
