Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Rules Clarification

    Firewalling
    2
    3
    185
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      Waffelen
      last edited by

      Hi,

      Just was setting up a simple rule (or so I thought) and it killed all internet access. The rule I wanted to create was that anything coming from my wireless AP ip was blocked from a list ips within the network. The wireless AP is plugged into the pfsence router through the switch that all other network devices are plugged into on the LAN port. New Rule -

      Block
      LAN
      IPv4
      Any
      Source = wireless AP ip
      Destination = Alias with all my network attached devices i want blocked from the wifi network.

      In my LAN rules set I have -

      1. LAN anti-lockout rule
      2. LAN net allowed to any
      3. New rule.

      Seems simple but when I had it like this all network and wifi devices lost access to the internet. Did I possibly put it in the wrong order? That if I put my "New Rule" above the "LAN net allowed to any" rule then it would stop everything? To fix, I disabled the "New Rule" and rebooted pfsense. Everything kicked back off working again.

      I previously had the wireless AP plugged into a different ethernet port on the pfsense router and on a separate LANWifi network to keep everything separate but when I upgraded the pfsense 2.7.0 on friday this stopped working. I know its because we have these terrible taotronics AC3000 AP's and they have been nothing but trouble since they came into the building a few years ago but they were cheap... They could only be accessed/setup via the taotronics app, no browser interface and now they are no longer supported/available and they have pulled the app from play and app store. I just need to keep them running until I can get a decent ubiquity wireless AP in place so with them being in the state they are, they need to be blocked form various network ip's.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @Waffelen
        last edited by

        @Waffelen said in Rules Clarification:

        The rule I wanted to create was that anything coming from my wireless AP ip was blocked from a list ips within the network

        Couple of things to note - APs don't nat, the only traffic to or from the AP IP would be management of that AP or traffic from that AP to say a radius server to auth clients, etc... Clients would be on their own IP.

        Now if your using a wifi router that is natting.. Sure you could block everyone on that wifi, because they are all going to be behind the natted IP.

        But if your wifi device is connected to the LAN.. be it was natting or not pfsense would have nothing to do with connections to devices on the lan net from this wifi network.

        if you want to filter traffic from your wifi to your lan - put the wifi network on different segment.

        Also that order of rules would be wrong.. Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated. So putting rules below a any any rule would never even be looked at. Because your any any rule would allow everything.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.03 | Lab VMs 2.7.2, 24.03

        W 1 Reply Last reply Reply Quote 0
        • W
          Waffelen @johnpoz
          last edited by

          @johnpoz Thanks for the advice but it turns out, I am a dumbass... When I said I tried to set things back up on the LANWifi interface separate network and it wouldnt work as it did before? Well I had the ethernet plugged into the LAN port not the WAN port on the wireless AP. Trucks snake, had I spotted my error I would have saved myself hours of messing about.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post