Difference between LAN and OPTx interfaces..?



  • Hi,

    I have set up RC2 with 4 interfaces:
    WAN
    LAN (DHCP enabled)
    WAN2 (Opt1) <not connected="">LAN2 (Opt2) (No DHCP)

    The WAN port has its <default setting="">(Block RFC1918 networks only)

    WAN2 is <not yet="" connected="">My only rule for LAN
    Action: Pass
    Interface: LAN
    Protocol: TCP
    Source: LAN subnet
    Destinaton: Any
    Destination port range: Alias defined MyAliasPorts (FTP, POP3, HTTP etc…)
    Advance / state type <nothing>Gateway: Default

    My only rule for LAN2
    Action: Pass
    Interface: LAN2
    Protocol: TCP
    Source: LAN2 subnet
    Destinaton: Any
    Destination port range: Alias defined MyAliasPorts (FTP, POP3, HTTP etc...)
    Advance / state type <nothing>Gateway: Default

    When I connect to the LAN interface the rule works as expected, with only access to the internet through the ports defined in the alias.

    However when I connect to the LAN2 interface with a computer with static IP and gateway and DNS set up correctly I get no access to the internet.  Aparently I use the same rule for both interfaces, but they work differently.  Where is my problem..?

    I have defined the 'necessary' ports in the alias to try to block all 'unauthorized' traffic like bittorents etc.  Is this the correct approach, or do I need to do this differently..?

    Thanks for some hints here.  pfSense seems to be a great product ;-)

    Hank</nothing></nothing></not></default></not>



  • From the first glance I don't see anything wrong with it (did you apply the settings after adding the rules?). Check status>systemlogs, firewall tab for blocks on LAN2 interface. Clicking the icon in front of the block line will show you what caused the block. Also make sure your clients on LAN2 use the correct gateway IP (LAN2 IP of pfSense). Does it work if you set the destinationports to any? Also make sure your DNS is working. In case DNS does not work it might appear that you don't have a connection as there is no nameresolution.



  • Yes I applied the changes ;-)

    It works if I set the destination ports to 'any' but that's not what I want ;-)

    Thanks for the tip on system logs.  I will check that.

    Btw. on the testing workstation I put the LAN2 interface IP as gateway and DNS.  Will the DNS pfsense's WAN port obtained from DHCP be used automatically for LAN and LAN2?

    So there is no particular difference in the way pfsense handles its LAN IF compared to any extra OPTx IFs?

    I have not entered any manual routes or changed anything in the NAT page.

    Please also comment this:

    If I try to get rid of bittorrents, is just opening a subset of 'necessary' destination ports like I'm doing, the way to go or does pfsense also have other features to block such services..?

    Hank



  • You get a DHCP Server tab for each interface at services>dhcp server. If you need one at LAN2 configure it there individually.
    There is no other mechanism to block bittorrent but you could consider installing the squid package and only allow access to the internet through squid.
    Does Nameresolution work at your LAN2?

    And no, there is no really difference between LAN and OPT interfaces concerning firewallrules. Btw, do you use advanced outbound NAT? If yes make sure you have correct NAT rules for LAN2.



  • @hoba:

    Does Nameresolution work at your LAN2?

    You mean successfully pinging, say, www.cnn.com?  I will try tomorrow, I haven't the box in front of me now.

    @hoba:

    Btw, do you use advanced outbound NAT? If yes make sure you have correct NAT rules for LAN2.

    I haven't altered anything from a default install as of NAT.

    Btw, does it exist other examples as the tutorials of common scenarios of pfsense usage…?

    Thanks Hoba for your valuable feedback.  I hope I get this up and running.  I'm very excited of pfsense's possibilities and I want to learn how to make the most out of it.

    best regards hank



  • At the moment information on how to set up special configurations can be found at http://pfsense.com/index.php?id=36 , http://wiki.pfsense.com , http://doc.pfsense.com and http://faq.pfsense.com . We hope to get a more or less complete documentation at our doc site once 1.0 gets final. Also several items of the m0n0 documentation still apply to pfSense. The m0n0 docs can be found at http://m0n0.ch/wall/documentation.php .



  • Just a short update:

    All started working ok when I enabled TCP/UDP and not only TCP as protocol in my LAN2 interface rule.  The strange thing is that the LAN interface rule only contains TCP and it works fine …..  Any comments on this..?

    If I want to grant one specific IP access to a couple of ports in addition to those specified in the default port alias, would that be something like this?  - Or should the extra rule come before the more general rule (if this does not restrict 192.168.55.34's port range to only ExtraPortAlias.  192.168.55.34 shoul be granted access to MyAliasports + ExtraPortAlias:

    LAN2's one and only rule:
    Action: Pass
    Interface: LAN
    Protocol: TCP/UDP
    Source: LAN2 subnet
    Destinaton: Any
    Destination port range: MyAliasPorts
    Advance / state type <nothing>Gateway: Default

    LAN2's additional rule to grant some extra ports to 192.168.55.34
    Action: Pass
    Interface: LAN
    Protocol: TCP
    Source: 192.168.55.34
    Destinaton: Any
    Destination port range: ExtraPortAlias
    Advance / state type <nothing>Gateway: Default

    rgds

    Hank</nothing></nothing>



  • Firewallrules are first match wins from top down. You can't pass anything below that you already have blocked on the top. Just use your brain to evaluate your ruleset. Finally, if something is still blocked visit status>systemlogs. firewall and click on the small block icon in front of an undesired block to see what rule triggered the block.


Locked