Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WLAN problem

    Scheduled Pinned Locked Moved Wireless
    21 Posts 3 Posters 7.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Atlanta-Mike
      last edited by

      I am running pfSense with 3 interfaces (WAN, LAN & WLAN).  The LAN (192.168.1.x) and WLAN (192.168.2.x) then run through an Untangle box for filtering (using 4 nic cards).  I can get to the internet fine from either the LAN or WLAN and the Untangle filtering is working fine.  However, since the WLAN is using an unsecured wireless AP that I use for guest.  I don't want this interface to have access to the LAN and have the firewall rule set up to block it.  However, the WLAN is able to connect pfSense router (192.168.1.1) and other computers/devices on the LAN.  What am I doing wrong?

      Mike

      1 Reply Last reply Reply Quote 0
      • D
        danswartz
        last edited by

        Without seeing your rules, it's hard to say.

        1 Reply Last reply Reply Quote 0
        • A
          Atlanta-Mike
          last edited by

          OK, is this what you wanted?  Need to work on my screen shots, sorry.

          http://www.mhfoto.com/web/Wifi%20rules.jpg

          1 Reply Last reply Reply Quote 0
          • D
            danswartz
            last edited by

            that is weird.  the rule you specified should be blocking the traffic.

            1 Reply Last reply Reply Quote 0
            • A
              Atlanta-Mike
              last edited by

              Yea, I have searched and searched the forum looking for an answer and so far I am stumped.  I can connect to the wifi interface, get an IP in the 192.168.2.x subnet but still log into pfSense (192.168.1.1) either of the Tivo's web servers (both on LAN interface with 192.168.1.x subnet) and other devices on the LAN interface.

              Mike

              1 Reply Last reply Reply Quote 0
              • D
                danswartz
                last edited by

                if you ssh in to pfsense and do this:

                pfctl -s rules | grep WIFI

                (or whatever the name of the interface is), what do you see?

                1 Reply Last reply Reply Quote 0
                • A
                  Atlanta-Mike
                  last edited by

                  All that comes back is:

                  anchor "dhcpserverPublicWifi" all

                  PublicWiFi is the name of the interface.

                  Mike

                  1 Reply Last reply Reply Quote 0
                  • D
                    danswartz
                    last edited by

                    Hmmm, looking at my config, I don't have a 3rd interface, but I notice the rules do not say LAN but vr0.  Can you do 'ifconfig -a' and see what the actual interface is and grep for that in the rules?

                    1 Reply Last reply Reply Quote 0
                    • A
                      Atlanta-Mike
                      last edited by

                      OK, it says a lot of stuff.  Not sure how to get that data to post here.  I do see few interesting lines, as follows (the WLAN interface is dc0 and 192.168.2.x subnet; the LAN interface is nfe0 and 192.168.1.x subnet):

                      block drop in on  ! dc0 inet from 192.168.2.0/24 to any

                      pass in quick on dc0 inet from 192.168.2.0/24 to ! 192.168.1.0/24 flags S/SA keep state label "USE RULE"

                      Anything else I should be looking for?

                      Mike

                      1 Reply Last reply Reply Quote 0
                      • D
                        danswartz
                        last edited by

                        Are these all the lines referring to dc0?

                        1 Reply Last reply Reply Quote 0
                        • A
                          Atlanta-Mike
                          last edited by

                          Yes, I ran pfctl -s rules | grep dc0.  dc0 is my WLAN interface.

                          Mike

                          1 Reply Last reply Reply Quote 0
                          • D
                            danswartz
                            last edited by

                            I wonder if you are somehow runnning afoul of the automatic outbound NAT?  Can you try changing that to Manual?

                            1 Reply Last reply Reply Quote 0
                            • A
                              Atlanta-Mike
                              last edited by

                              Thanks for the continued help.  I have changed the outbound NAT to manual, but I am still able to connect to devices on the LAN interface from the WLAN interface.

                              Mike

                              1 Reply Last reply Reply Quote 0
                              • D
                                danswartz
                                last edited by

                                Have you tried deleting and re-adding the outbound WLAN rule?  And then check the output from pfctl again?

                                1 Reply Last reply Reply Quote 0
                                • A
                                  Atlanta-Mike
                                  last edited by

                                  OK, I deleted the WLAN rule and recreated it.  I also removed the routing through the Untangle box to eliminate one possible complication.  Now the cable goes directly from router to the access point.  It seems to be partially working, that is blocking the WLAN from accessing the LAN.  I can't get to the pfSense router (192.168.1.1), I can't ping any device (Tivo's, Windows Home Server, etc) on the LAN.  BUT, I can connect to either of the two Tivo's built-in web server and to the Windows Home Server built-in web server.  So I can't be sure the LAN is 100% safe from the WLAN.

                                  What I don't understand is why I can't connect to the pfSense router, but I can connect to the Tivo's and the WHS.

                                  Mike

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    danswartz
                                    last edited by

                                    I'm a little confused about the network topology (e.g. the untangle box etc.)  Can you diagram this?  Also, one question: are you running squid on the pfsense?  If so, that might explain it if you are running squid in transparent mode, the pfsense will redirect the outbound http request to the loopback interface on the pfsense, and so the rule you added might not work (I am guessing here, and it would depend on what order the rules fire.)  If you can see LAN hosts on http but no other service (even ones you know are open), I can't imagine what else it would be.

                                    1 Reply Last reply Reply Quote 0
                                    • C
                                      cmb
                                      last edited by

                                      NAT has nothing to do with whether or not traffic gets passed, you should be using automatic NAT. With that rule you won't be able to get directly to anything on your LAN. You have Squid installed? That may let you around that. Or you may have an active connection from before you changed the rule to not allow that traffic, reset states to make sure all your previous connections are cut off.

                                      1 Reply Last reply Reply Quote 0
                                      • A
                                        Atlanta-Mike
                                        last edited by

                                        Yes, I am running squid in transparent mode.  For now, I have removed the Untangle box from the set up to eliminate one complication.  However, here is how it was running with the Untangle box:

                                        Cable modem –---- pfSense box -------Untangle box (one inbound NIC, one outbound NIC) ------ switch ----- LAN
                                                                                    -------Untangle box (one inbound NIC, one outbound NIC) ------ Wirless AP

                                        So, if squid is allowing the WLAN users to access http on the LAN, isn't this a potential security problem?  Is the only option to not use squid?  When I get home from work, I will stop squid and see if that stops WLAN users from getting to the LAN side.

                                        Mike

                                        1 Reply Last reply Reply Quote 0
                                        • D
                                          danswartz
                                          last edited by

                                          You have to not just stop squid but whatever implements the transparent proxy part (some sort of port redirection.)  Yes, that is a potential issue.  Maybe you could deal with it by some sort of squid acl?

                                          1 Reply Last reply Reply Quote 0
                                          • A
                                            Atlanta-Mike
                                            last edited by

                                            Looks like squid was the problem.  I had it caching all of the interfaces.  Once I removed the LAN and WLAN interfaces from being cached, I can no longer get to any device on the LAN side from the WLAN side.

                                            Thanks for all the help.

                                            Mike

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.