Quick questions about ip ranges and pfsense

  • For the life of me I cant figure out how to get IP ranges working for firewall rules.  Basically, i'm using m0n0wall in front of a Citrix server because the old firewall we had died (Sonicwall).  Its been working great, much better than the Sonicwall actually.

    So basically we rule out Citrix users by static IP addresses.  We allow some users to specify a small range of IP addresses but most of our users provide us with 1 static IP.  For the users that provide us with ranges, I cant figure out how that works.  I've read up on CIDR and tested it with one of our users that has a range and it just doesnt work for some reason.  Does anyone know if i'm doing it right?  I went in and created a new rule, I specify the source to be a Network, enter the CIDR and the starting address, correct?  Maybe i'm not doing the CIDR calculations correct but for this particular range everything I come up with says it's correct, yet the user still wasnt able to login until I changed it to his current IP within that range and he was about to log right in.

    Also, i'm wondering if I would be able to import a m0n0wall backup into pfsense?  Basically once i'm done configuring the m0n0wall the way we want, i'm then gonna switch over to pfsense.  I figure since pfsense is so closely related to m0n0wall that could work?

    Thanks guys!

  • Maybe a subnetcalculator can help you like http://www.subnet-calculator.com/ (you need the subnet ID in the rules).

    Btw, you might want to move to pfSense before completely configuring this in m0n0. pfSense features hosts (group of hosts) and networks (group of networks) aliases. By using this you can reduce your rules to just 2 firewallrules for what you mentioned.

    You can import a m0n0 config. Most items will be applied, however some items will be skipped (like traffic shaper) as they are completely different from m0n0.

  • Ok I know this is a late response but I figured out why the CIDR masks werent working.  It was because the users werent giving me the correct ranges or subnet masks so I was using the wrong CIDR masks.  I just tested it with our range and it works great.  I'll be moving us to pfsense in the next few weeks as a permanent solution.

Log in to reply