Difference between LAN and OPTx interfaces..?

Hank

Hi,

I have set up RC2 with 4 interfaces:
WAN
LAN (DHCP enabled)
WAN2 (Opt1) <not connected="">LAN2 (Opt2) (No DHCP)

The WAN port has its <default setting="">(Block RFC1918 networks only)

WAN2 is <not yet="" connected="">My only rule for LAN
Action: Pass
Interface: LAN
Protocol: TCP
Source: LAN subnet
Destinaton: Any
Destination port range: Alias defined MyAliasPorts (FTP, POP3, HTTP etc…)
Advance / state type <nothing>Gateway: Default

My only rule for LAN2
Action: Pass
Interface: LAN2
Protocol: TCP
Source: LAN2 subnet
Destinaton: Any
Destination port range: Alias defined MyAliasPorts (FTP, POP3, HTTP etc...)
Advance / state type <nothing>Gateway: Default

When I connect to the LAN interface the rule works as expected, with only access to the internet through the ports defined in the alias.

However when I connect to the LAN2 interface with a computer with static IP and gateway and DNS set up correctly I get no access to the internet.  Aparently I use the same rule for both interfaces, but they work differently.  Where is my problem..?

I have defined the 'necessary' ports in the alias to try to block all 'unauthorized' traffic like bittorents etc.  Is this the correct approach, or do I need to do this differently..?

Thanks for some hints here.  pfSense seems to be a great product ;-)

Hank</nothing></nothing></not></default></not>

hoba

From the first glance I don't see anything wrong with it (did you apply the settings after adding the rules?). Check status>systemlogs, firewall tab for blocks on LAN2 interface. Clicking the icon in front of the block line will show you what caused the block. Also make sure your clients on LAN2 use the correct gateway IP (LAN2 IP of pfSense). Does it work if you set the destinationports to any? Also make sure your DNS is working. In case DNS does not work it might appear that you don't have a connection as there is no nameresolution.

Hank

Yes I applied the changes ;-)

It works if I set the destination ports to 'any' but that's not what I want ;-)

Thanks for the tip on system logs.  I will check that.

Btw. on the testing workstation I put the LAN2 interface IP as gateway and DNS.  Will the DNS pfsense's WAN port obtained from DHCP be used automatically for LAN and LAN2?

So there is no particular difference in the way pfsense handles its LAN IF compared to any extra OPTx IFs?

I have not entered any manual routes or changed anything in the NAT page.

Please also comment this:

If I try to get rid of bittorrents, is just opening a subset of 'necessary' destination ports like I'm doing, the way to go or does pfsense also have other features to block such services..?

Hank

hoba

You get a DHCP Server tab for each interface at services>dhcp server. If you need one at LAN2 configure it there individually.
There is no other mechanism to block bittorrent but you could consider installing the squid package and only allow access to the internet through squid.
Does Nameresolution work at your LAN2?

And no, there is no really difference between LAN and OPT interfaces concerning firewallrules. Btw, do you use advanced outbound NAT? If yes make sure you have correct NAT rules for LAN2.

Hank

@hoba:

Does Nameresolution work at your LAN2?

You mean successfully pinging, say, www.cnn.com?  I will try tomorrow, I haven't the box in front of me now.

@hoba:

Btw, do you use advanced outbound NAT? If yes make sure you have correct NAT rules for LAN2.

I haven't altered anything from a default install as of NAT.

Btw, does it exist other examples as the tutorials of common scenarios of pfsense usage…?

Thanks Hoba for your valuable feedback.  I hope I get this up and running.  I'm very excited of pfsense's possibilities and I want to learn how to make the most out of it.

best regards hank

hoba

At the moment information on how to set up special configurations can be found at http://pfsense.com/index.php?id=36 , http://wiki.pfsense.com , http://doc.pfsense.com and http://faq.pfsense.com . We hope to get a more or less complete documentation at our doc site once 1.0 gets final. Also several items of the m0n0 documentation still apply to pfSense. The m0n0 docs can be found at http://m0n0.ch/wall/documentation.php .

Hank

Just a short update:

All started working ok when I enabled TCP/UDP and not only TCP as protocol in my LAN2 interface rule.  The strange thing is that the LAN interface rule only contains TCP and it works fine …..  Any comments on this..?

If I want to grant one specific IP access to a couple of ports in addition to those specified in the default port alias, would that be something like this?  - Or should the extra rule come before the more general rule (if this does not restrict 192.168.55.34's port range to only ExtraPortAlias.  192.168.55.34 shoul be granted access to MyAliasports + ExtraPortAlias:

LAN2's one and only rule:
Action: Pass
Interface: LAN
Protocol: TCP/UDP
Source: LAN2 subnet
Destinaton: Any
Destination port range: MyAliasPorts
Advance / state type <nothing>Gateway: Default

LAN2's additional rule to grant some extra ports to 192.168.55.34
Action: Pass
Interface: LAN
Protocol: TCP
Source: 192.168.55.34
Destinaton: Any
Destination port range: ExtraPortAlias
Advance / state type <nothing>Gateway: Default

rgds

Hank</nothing></nothing>

hoba

Firewallrules are first match wins from top down. You can't pass anything below that you already have blocked on the top. Just use your brain to evaluate your ruleset. Finally, if something is still blocked visit status>systemlogs. firewall and click on the small block icon in front of an undesired block to see what rule triggered the block.