Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Difference between LAN and OPTx interfaces..?

    Scheduled Pinned Locked Moved Firewalling
    8 Posts 2 Posters 6.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Hank
      last edited by

      Hi,

      I have set up RC2 with 4 interfaces:
      WAN
      LAN (DHCP enabled)
      WAN2 (Opt1) <not connected="">LAN2 (Opt2) (No DHCP)

      The WAN port has its <default setting="">(Block RFC1918 networks only)

      WAN2 is <not yet="" connected="">My only rule for LAN
      Action: Pass
      Interface: LAN
      Protocol: TCP
      Source: LAN subnet
      Destinaton: Any
      Destination port range: Alias defined MyAliasPorts (FTP, POP3, HTTP etc…)
      Advance / state type <nothing>Gateway: Default

      My only rule for LAN2
      Action: Pass
      Interface: LAN2
      Protocol: TCP
      Source: LAN2 subnet
      Destinaton: Any
      Destination port range: Alias defined MyAliasPorts (FTP, POP3, HTTP etc...)
      Advance / state type <nothing>Gateway: Default

      When I connect to the LAN interface the rule works as expected, with only access to the internet through the ports defined in the alias.

      However when I connect to the LAN2 interface with a computer with static IP and gateway and DNS set up correctly I get no access to the internet.  Aparently I use the same rule for both interfaces, but they work differently.  Where is my problem..?

      I have defined the 'necessary' ports in the alias to try to block all 'unauthorized' traffic like bittorents etc.  Is this the correct approach, or do I need to do this differently..?

      Thanks for some hints here.  pfSense seems to be a great product ;-)

      Hank</nothing></nothing></not></default></not>

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        From the first glance I don't see anything wrong with it (did you apply the settings after adding the rules?). Check status>systemlogs, firewall tab for blocks on LAN2 interface. Clicking the icon in front of the block line will show you what caused the block. Also make sure your clients on LAN2 use the correct gateway IP (LAN2 IP of pfSense). Does it work if you set the destinationports to any? Also make sure your DNS is working. In case DNS does not work it might appear that you don't have a connection as there is no nameresolution.

        1 Reply Last reply Reply Quote 0
        • H
          Hank
          last edited by

          Yes I applied the changes ;-)

          It works if I set the destination ports to 'any' but that's not what I want ;-)

          Thanks for the tip on system logs.  I will check that.

          Btw. on the testing workstation I put the LAN2 interface IP as gateway and DNS.  Will the DNS pfsense's WAN port obtained from DHCP be used automatically for LAN and LAN2?

          So there is no particular difference in the way pfsense handles its LAN IF compared to any extra OPTx IFs?

          I have not entered any manual routes or changed anything in the NAT page.

          Please also comment this:

          If I try to get rid of bittorrents, is just opening a subset of 'necessary' destination ports like I'm doing, the way to go or does pfsense also have other features to block such services..?

          Hank

          1 Reply Last reply Reply Quote 0
          • H
            hoba
            last edited by

            You get a DHCP Server tab for each interface at services>dhcp server. If you need one at LAN2 configure it there individually.
            There is no other mechanism to block bittorrent but you could consider installing the squid package and only allow access to the internet through squid.
            Does Nameresolution work at your LAN2?

            And no, there is no really difference between LAN and OPT interfaces concerning firewallrules. Btw, do you use advanced outbound NAT? If yes make sure you have correct NAT rules for LAN2.

            1 Reply Last reply Reply Quote 0
            • H
              Hank
              last edited by

              @hoba:

              Does Nameresolution work at your LAN2?

              You mean successfully pinging, say, www.cnn.com?  I will try tomorrow, I haven't the box in front of me now.

              @hoba:

              Btw, do you use advanced outbound NAT? If yes make sure you have correct NAT rules for LAN2.

              I haven't altered anything from a default install as of NAT.

              Btw, does it exist other examples as the tutorials of common scenarios of pfsense usage…?

              Thanks Hoba for your valuable feedback.  I hope I get this up and running.  I'm very excited of pfsense's possibilities and I want to learn how to make the most out of it.

              best regards hank

              1 Reply Last reply Reply Quote 0
              • H
                hoba
                last edited by

                At the moment information on how to set up special configurations can be found at http://pfsense.com/index.php?id=36 , http://wiki.pfsense.com , http://doc.pfsense.com and http://faq.pfsense.com . We hope to get a more or less complete documentation at our doc site once 1.0 gets final. Also several items of the m0n0 documentation still apply to pfSense. The m0n0 docs can be found at http://m0n0.ch/wall/documentation.php .

                1 Reply Last reply Reply Quote 0
                • H
                  Hank
                  last edited by

                  Just a short update:

                  All started working ok when I enabled TCP/UDP and not only TCP as protocol in my LAN2 interface rule.  The strange thing is that the LAN interface rule only contains TCP and it works fine …..  Any comments on this..?

                  If I want to grant one specific IP access to a couple of ports in addition to those specified in the default port alias, would that be something like this?  - Or should the extra rule come before the more general rule (if this does not restrict 192.168.55.34's port range to only ExtraPortAlias.  192.168.55.34 shoul be granted access to MyAliasports + ExtraPortAlias:

                  LAN2's one and only rule:
                  Action: Pass
                  Interface: LAN
                  Protocol: TCP/UDP
                  Source: LAN2 subnet
                  Destinaton: Any
                  Destination port range: MyAliasPorts
                  Advance / state type <nothing>Gateway: Default

                  LAN2's additional rule to grant some extra ports to 192.168.55.34
                  Action: Pass
                  Interface: LAN
                  Protocol: TCP
                  Source: 192.168.55.34
                  Destinaton: Any
                  Destination port range: ExtraPortAlias
                  Advance / state type <nothing>Gateway: Default

                  rgds

                  Hank</nothing></nothing>

                  1 Reply Last reply Reply Quote 0
                  • H
                    hoba
                    last edited by

                    Firewallrules are first match wins from top down. You can't pass anything below that you already have blocked on the top. Just use your brain to evaluate your ruleset. Finally, if something is still blocked visit status>systemlogs. firewall and click on the small block icon in front of an undesired block to see what rule triggered the block.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.