Is this all possible with Pfsense?
I tested PFsense for a couple of weeks at home and really like all the functions, can't wait for the 1.0 release!
I'd like to install a Soekris running Pfsense for a customer who has the folowing needs
he wants a lan and Wlan on different subnets. The Wlan is for customers, but sometimes for employees who must have acces to the lan also. Traffic shaping on the wlan side would be even better.
I tried a couple of hours ago a similar setup on my own soekris but apparently I forget something;I made a opt1 interface, enabled DHCP on it and added a firewall rule to allow all traffic out (same as default lan rule) but still I can't acces the net (the filter rules show blocked traffic to 192.168.1.1:53 (default block rule), Do I have to specificly enable traffic from any to the Wlan NIC?
What is the best way to have the above setup?
write down all their wireless MAc's and putt them in the DHCP server of opt1 (Wlan interface) and assign them a sepparte addres and allow these clients acces to the lan?
Another question: the Cable ISP inhere frequently changes DNS server so I have to use those assigned on the Wan interface , will dhcp clients on the opt1 interface use those DNS server automatically?
wan: (cable modem) dhcp client
lan:dhcp server 10.0.0.15-150
Wlan: 192.168.1.50-150 (192.168.1.1-50 is for "trusted" laptops who can acces the lan)
Thanks in advance for your help and hints!
Trafficshaping on more than 2 Interface is not supported at the moment.
Concerning your hometestsetup your firewallrule must be wrong somewhere as it doesn't match but get's blocked by the default block all. Please past it if you want to know what's wrong here.
For the permitted wlanclients that should have access to lan you can either do it the way you described (mapping them static by DHCP and creating firewallrules) or you could use some sort of VPN that they have to use to access the lan. Then that traffic would even be encrypted. Remember that wlans always can be sniffed. It depends on how secure you need this to be.
The changing DNS-Servers of your ISP should be no problem if you have "Allow DNS server list to be overridden by DHCP/PPP on WAN" at system>general enabled and your clients are using the dnsforwarder of the pfSense.
thank you very much for your reply, I'm starting to get frustrated because I can't fix it…I attached some screenshots from my home setup, the firewall rules these generate are:
Oct 12 11:48:35 WlanDMZ 192.168.1.255:59798 192.168.1.1:53 TCP
Oct 12 11:48:35 WlanDMZ 192.168.1.255:59797 192.168.1.1:53 TCP
Oct 12 11:48:35 WlanDMZ 192.168.1.255:59796 192.168.1.1:53 TCP
Oct 12 11:48:35 WlanDMZ 192.168.1.255:59795 192.168.1.1:53 TCP
Oct 12 11:48:35 WlanDMZ 192.168.1.255:59794 192.168.1.1:53 TCP
Oct 12 11:48:35 WlanDMZ 192.168.1.255:59793 192.168.1.1:53 TCP
Oct 12 11:48:35 WlanDMZ 192.168.1.255:59792 192.168.1.1:53 TCP
Oct 12 11:48:35 WlanDMZ 192.168.1.255:59791 192.168.1.1:53 TCP
Oct 12 11:48:35 WlanDMZ 192.168.1.255:59790 192.168.1.1:53 TCP
Oct 12 11:48:31 WlanDMZ 192.168.1.255:59785 255.255.255.255:2222 UDP
Oct 12 11:48:31 WlanDMZ 192.168.1.255:59782 192.168.1.1:53 TCP
Oct 12 11:48:30 WlanDMZ 192.168.1.255:51069 10.0.1.1:443 TCP
Oct 12 11:48:27 WlanDMZ 192.168.1.255:5353 192.168.1.1:53 TCP
Oct 12 11:48:27 WlanDMZ 192.168.1.255:51069 10.0.1.1:443 TCP
Oct 12 11:48:25 WlanDMZ 192.168.1.255:51069
192.168.1.255 is my laptop
192.168.1.1 is Wlan_DMZ interface
10.0.1.1 is the LAN ip adress
Thanks again for your help!
chance the ipadress of youre laptop
192.168.1.255 is a broadcast adress
a pc will use that ipadress if it has somthing to tell to all the clients on the network
192.168.1.254 is the last ipadress you can use
Thanks for the tip, I changed the range immediately to 254 and my new IP is 192.168.1.254
and in the system logs I see this entry: dhcpd: icmp_echorequest 192.168.1.254: Operation not permitted
Oct 12 13:26:13 WlanDMZ 192.168.1.254:60527 192.168.1.1:53 TCP
Oct 12 13:26:13 WlanDMZ 192.168.1.254:60525 192.168.1.1:53 TCP
Oct 12 13:26:12 WlanDMZ 192.168.1.254:60523 192.168.1.1:53 TCP
Oct 12 13:26:12 WlanDMZ 192.168.1.254:60521 192.168.1.1:53 TCP
Oct 12 13:26:12 WlanDMZ 192.168.1.254:60520 192.168.1.1:53 TCP
Oct 12 13:26:12 WlanDMZ 192.168.1.254:60518 192.168.1.1:53 TCP
Oct 12 13:26:12 WlanDMZ 192.168.1.254:60516 192.168.1.1:53 TCP
Oct 12 13:26:12 WlanDMZ 192.168.1.254:60514 192.168.1.1:53 TCP
Oct 12 13:26:12 WlanDMZ 192.168.1.254:60512 192.168.1.1:53 TCP
If I click on the icon next to the blocked attempt:
@78 block drop in log quick all label "Default block all just to be sure."
My computer tries to connect to the WLanDMZ port of the soekris but is is blocked but I have a rule under WlanDMZ:
TCP/UDP WlanDMZ net * LAN address 53 (DNS) *
Could this be the problem; the Cable modem is bound to the first MAC adress it finds (the Lan port of the Soekris) ? Just want to be sure but the blocked traffic to 192.168.1.1 (WlanDMZ interface)…
When I enter a static Ip (.200) and these rules (changed destination to WlanDMZ port instead of the Lan port, 192.168.1.1 is the DMZ port)
TCP/UDP WlanDMZ net * Interface IP address 53 (DNS) *
* WlanDMZ net * ! LAN net * *
this traffic gets blocked:
WlanDMZ 192.168.1.200:60993 192.168.1.255:137 UDP
Oct 12 13:42:50 WlanDMZ 192.168.1.200:51431 126.96.36.199:80 TCP
Oct 12 13:42:50 WlanDMZ 192.168.1.200:60993 192.168.1.255:137 UDP
Oct 12 13:42:50 WlanDMZ 192.168.1.200:60993 192.168.1.255:137 UDP
Oct 12 13:42:49 WlanDMZ 192.168.1.200:60991 192.168.1.255:137 UDP
Oct 12 13:42:49 WlanDMZ 192.168.1.200:60991 192.168.1.255:137
What version are we looking at here? Please paste the Versioninfo including builddate from status>system.
I'm running 1.0-RC3
built on Mon Oct 2 01:43:47 UTC 2006
I applied the 1.0-RC3a patch…
I hope it's a bug, it's driving me nuts cause I can't figure this one out... ???
thanks for helping, I appreciate it!
Did you try to reboot? maybe the invalid broadcastadress you used mixed something up. Also upgrade b,c,d,e too. It works just fine here.
dhcpd: icmp_echorequest 192.168.1.254: Operation not permitted
for this you need a rule that alows icmp trafic
Proto Source Port Destination Port Gateway Description
tcp WlanDMZ any any icmp default ping rule
make sure youre rules are in the corect order
the first rule that matches wiil be caried out the rest is ignord
Hi guys, thanks for all the suggestions, after a reboot it started working and I could surf the web immediately. There is one thing I do not understand, when I connect on the opt1 (wlanDMZ) interface I can still ping the lan network, but I have these rules, shouldn't the second rule block everything from the DMZ subnet entering the lan net?
TCP/UDP WlanDMZ net * Interface IP address 53 (DNS) * permit dns > wlan interface
* WlanDMZ net * ! LAN net * * permit DMZ to any but LAN
the lanipadress the opt1 ipadress are excluded from rules so that you can never lock youre self out of youre pfsense server
try pinging a pc on the lan network not the laninterface ip
Looks like we found a bug that under certain circumstances caused firewallrules to be not applied. This will be fixed in the next release (and is already fixed in cvs).
Maybe it is the default antilockout rule like jeroen suspects. You can disable this at system>advanced but be careful to not log yourself out from webgui completely.
Yes, this rule shouldn't permit traffic to LAN. However I usually use explicit blocks followed by a pass all for these kind of setups. If you add one more nic and want to block traffic to this subnet too you won't be able to define a rule like !LAN and !OPT2 for example.
not sure if it's the anti lockout rule, I have 2 network interface in my laptop, wired and wireless,when I plug in an ethernet cable my laptop wil use this connection, but 5 minutes ago whie testing I was connected with ethernet and tried to ping a host in the LAn subnet, I guess the blocked pings over ethernet were sent again over wifi (lan subnet) so they did reach their destination, I guess the rules are OK now (screenshot)?
thank god it was just simple user errors and a reboot to fix this, it was driving me nuts.
Glad I can help my client with a pfSense firewall.
to the devs; thanks for such a wonderfull piece of software!
if you connect youre laptop by lan and by wireless then for 192.168.1.x ipadresses it will use the wireless connection
and for 10.0.1.x ipadresses it will use the lan connection
so to test if youre wireless rules work you need to disconect the lanconnection from youre laptop
just installed release 1.0 and made the same setup again in a couple of minutes, works perfect here! Thanks for all the help guys!
@jeroen; are you dutch?
@mac ja ik ben nederlander
@jeroen: ik ben van van België :)
I don't want to open en new topic for this; but my firewall logs are filled with probes from my ISP, it is possible to edit the default block rules in some way?
I still want to see the blocked attempts, just want to skip al those things like
ct 16 08:51:22 WAN 188.8.131.52 184.108.40.206 IGMP
Oct 16 08:51:22 WAN 10.164.128.1 220.127.116.11 IGMP
Oct 16 08:51:22 WAN 18.104.22.168 22.214.171.124 IGMP
Oct 16 08:51:22 WAN 126.96.36.199 188.8.131.52 IGMP
I tried adding a rule to block from any to 184.108.40.206 and no logging but I can't move this rule to the top. Any suggestions to keep those 220.127.116.11 entries away from my logs?
I know I can disable logging fom the default block rules, but I still want to view the blocked attempt on other ports, just the 18.104.22.168 stuff is filling my firewall logs….
At status>systemlogs, settings disable the default logging. Then add a block rule/block rules at WAN with a logging flag that only log the desired traffic.