WLAN problem



  • I am running pfSense with 3 interfaces (WAN, LAN & WLAN).  The LAN (192.168.1.x) and WLAN (192.168.2.x) then run through an Untangle box for filtering (using 4 nic cards).  I can get to the internet fine from either the LAN or WLAN and the Untangle filtering is working fine.  However, since the WLAN is using an unsecured wireless AP that I use for guest.  I don't want this interface to have access to the LAN and have the firewall rule set up to block it.  However, the WLAN is able to connect pfSense router (192.168.1.1) and other computers/devices on the LAN.  What am I doing wrong?

    Mike



  • Without seeing your rules, it's hard to say.



  • OK, is this what you wanted?  Need to work on my screen shots, sorry.

    http://www.mhfoto.com/web/Wifi%20rules.jpg



  • that is weird.  the rule you specified should be blocking the traffic.



  • Yea, I have searched and searched the forum looking for an answer and so far I am stumped.  I can connect to the wifi interface, get an IP in the 192.168.2.x subnet but still log into pfSense (192.168.1.1) either of the Tivo's web servers (both on LAN interface with 192.168.1.x subnet) and other devices on the LAN interface.

    Mike



  • if you ssh in to pfsense and do this:

    pfctl -s rules | grep WIFI

    (or whatever the name of the interface is), what do you see?



  • All that comes back is:

    anchor "dhcpserverPublicWifi" all

    PublicWiFi is the name of the interface.

    Mike



  • Hmmm, looking at my config, I don't have a 3rd interface, but I notice the rules do not say LAN but vr0.  Can you do 'ifconfig -a' and see what the actual interface is and grep for that in the rules?



  • OK, it says a lot of stuff.  Not sure how to get that data to post here.  I do see few interesting lines, as follows (the WLAN interface is dc0 and 192.168.2.x subnet; the LAN interface is nfe0 and 192.168.1.x subnet):

    block drop in on  ! dc0 inet from 192.168.2.0/24 to any

    pass in quick on dc0 inet from 192.168.2.0/24 to ! 192.168.1.0/24 flags S/SA keep state label "USE RULE"

    Anything else I should be looking for?

    Mike



  • Are these all the lines referring to dc0?



  • Yes, I ran pfctl -s rules | grep dc0.  dc0 is my WLAN interface.

    Mike



  • I wonder if you are somehow runnning afoul of the automatic outbound NAT?  Can you try changing that to Manual?



  • Thanks for the continued help.  I have changed the outbound NAT to manual, but I am still able to connect to devices on the LAN interface from the WLAN interface.

    Mike



  • Have you tried deleting and re-adding the outbound WLAN rule?  And then check the output from pfctl again?



  • OK, I deleted the WLAN rule and recreated it.  I also removed the routing through the Untangle box to eliminate one possible complication.  Now the cable goes directly from router to the access point.  It seems to be partially working, that is blocking the WLAN from accessing the LAN.  I can't get to the pfSense router (192.168.1.1), I can't ping any device (Tivo's, Windows Home Server, etc) on the LAN.  BUT, I can connect to either of the two Tivo's built-in web server and to the Windows Home Server built-in web server.  So I can't be sure the LAN is 100% safe from the WLAN.

    What I don't understand is why I can't connect to the pfSense router, but I can connect to the Tivo's and the WHS.

    Mike



  • I'm a little confused about the network topology (e.g. the untangle box etc.)  Can you diagram this?  Also, one question: are you running squid on the pfsense?  If so, that might explain it if you are running squid in transparent mode, the pfsense will redirect the outbound http request to the loopback interface on the pfsense, and so the rule you added might not work (I am guessing here, and it would depend on what order the rules fire.)  If you can see LAN hosts on http but no other service (even ones you know are open), I can't imagine what else it would be.



  • NAT has nothing to do with whether or not traffic gets passed, you should be using automatic NAT. With that rule you won't be able to get directly to anything on your LAN. You have Squid installed? That may let you around that. Or you may have an active connection from before you changed the rule to not allow that traffic, reset states to make sure all your previous connections are cut off.



  • Yes, I am running squid in transparent mode.  For now, I have removed the Untangle box from the set up to eliminate one complication.  However, here is how it was running with the Untangle box:

    Cable modem –---- pfSense box -------Untangle box (one inbound NIC, one outbound NIC) ------ switch ----- LAN
                                                -------Untangle box (one inbound NIC, one outbound NIC) ------ Wirless AP

    So, if squid is allowing the WLAN users to access http on the LAN, isn't this a potential security problem?  Is the only option to not use squid?  When I get home from work, I will stop squid and see if that stops WLAN users from getting to the LAN side.

    Mike



  • You have to not just stop squid but whatever implements the transparent proxy part (some sort of port redirection.)  Yes, that is a potential issue.  Maybe you could deal with it by some sort of squid acl?



  • Looks like squid was the problem.  I had it caching all of the interfaces.  Once I removed the LAN and WLAN interfaces from being cached, I can no longer get to any device on the LAN side from the WLAN side.

    Thanks for all the help.

    Mike



  • Good to hear!


Log in to reply