WLAN problem

danswartz

I wonder if you are somehow runnning afoul of the automatic outbound NAT?  Can you try changing that to Manual?

Atlanta-Mike

Thanks for the continued help.  I have changed the outbound NAT to manual, but I am still able to connect to devices on the LAN interface from the WLAN interface.

Mike

danswartz

Have you tried deleting and re-adding the outbound WLAN rule?  And then check the output from pfctl again?

Atlanta-Mike

OK, I deleted the WLAN rule and recreated it.  I also removed the routing through the Untangle box to eliminate one possible complication.  Now the cable goes directly from router to the access point.  It seems to be partially working, that is blocking the WLAN from accessing the LAN.  I can't get to the pfSense router (192.168.1.1), I can't ping any device (Tivo's, Windows Home Server, etc) on the LAN.  BUT, I can connect to either of the two Tivo's built-in web server and to the Windows Home Server built-in web server.  So I can't be sure the LAN is 100% safe from the WLAN.

What I don't understand is why I can't connect to the pfSense router, but I can connect to the Tivo's and the WHS.

Mike

danswartz

I'm a little confused about the network topology (e.g. the untangle box etc.)  Can you diagram this?  Also, one question: are you running squid on the pfsense?  If so, that might explain it if you are running squid in transparent mode, the pfsense will redirect the outbound http request to the loopback interface on the pfsense, and so the rule you added might not work (I am guessing here, and it would depend on what order the rules fire.)  If you can see LAN hosts on http but no other service (even ones you know are open), I can't imagine what else it would be.

cmb

NAT has nothing to do with whether or not traffic gets passed, you should be using automatic NAT. With that rule you won't be able to get directly to anything on your LAN. You have Squid installed? That may let you around that. Or you may have an active connection from before you changed the rule to not allow that traffic, reset states to make sure all your previous connections are cut off.

Atlanta-Mike

Yes, I am running squid in transparent mode.  For now, I have removed the Untangle box from the set up to eliminate one complication.  However, here is how it was running with the Untangle box:

Cable modem –---- pfSense box -------Untangle box (one inbound NIC, one outbound NIC) ------ switch ----- LAN
                                            -------Untangle box (one inbound NIC, one outbound NIC) ------ Wirless AP

So, if squid is allowing the WLAN users to access http on the LAN, isn't this a potential security problem?  Is the only option to not use squid?  When I get home from work, I will stop squid and see if that stops WLAN users from getting to the LAN side.

Mike

danswartz

You have to not just stop squid but whatever implements the transparent proxy part (some sort of port redirection.)  Yes, that is a potential issue.  Maybe you could deal with it by some sort of squid acl?

Atlanta-Mike

Looks like squid was the problem.  I had it caching all of the interfaces.  Once I removed the LAN and WLAN interfaces from being cached, I can no longer get to any device on the LAN side from the WLAN side.

Thanks for all the help.

Mike

danswartz

Good to hear!