Is any question stupid? pfSense is blocking all external access WTH?



  • This should be piece of cake.  :-X
    I see in the installation this line: WAN is configured as DHCP client, all incoming connections are blocked by default. I'm using 2.0 by the way.
    Great, what I don't see anywhere is how unblock some connections? Just adding rules?
    Right now I added a bunch of rules, and all works fine from my internal network, but nothing works from outside.
    My rules:
    Block * RFC 1918 networks * * * * * Block private networks
    Block * Reserved/not assigned by IANA * * * * * * Block bogon networks
    Pass TCP * 80 (HTTP)         192.168.29.108 8080         * none   Web Server Default 
    Pass TCP * 8055         192.168.29.121 80 (HTTP)         * none   Ether Website 
    Pass TCP * 25 (SMTP)         192.168.29.130 25 (SMTP)         * none   NAT SMTP 
    Pass TCP * 465 (SMTP/S) 192.168.29.130 465 (SMTP/S) * none   NAT SMTP 
    Pass TCP * 6622         192.168.29.130 8088         * none   NAT SmarterMail 
    Pass TCP * 21 (FTP)         192.168.29.108 21 (FTP)         * none   NAT FTP 
    Pass TCP * 53 (DNS)         192.168.29.104 53 (DNS)         * none   NAT DNS 
    Pass TCP * 11801 192.168.29.134 11801 * none   NAT SQL TST 
    Pass TCP * 2929         192.168.29.101 3389 (MS RDP) * none   NAT Remote Desktop My Local 
    Pass TCP * 443 (HTTPS) 192.168.29.108 443 (HTTPS) * none   NAT Secure DVM Web Support 
    Pass TCP *      2525         192.168.29.151 8080         * none   TFS

    Any help as you can imagine is very appreciated.



  • You need to add both port forwarding (NAT) and firewall rules. Try using the wizard instead of creating rules by hand.



  • As I create port firewall rules, it adds port forward rules automatically, so I'm not sure what you mean. Also there's no wizard for rules, is it?
    Forgot to mention that I have 13 public static IP, so my gateway is set on XX.XX.XX.241 and WAN is XX.XX.XX.242 and I have another 12 VIP (right now not having any rule).
    So right now is all using WAN Address /port to an internal IP /Port



  • All those devices are using the pfSense host's LAN IP as their default gateway?



  • All internal network is using the LAN static IP as gateway, and everything works from the internal network, can remote any machine, access any web, torrent, ftp, etc… is only from outside that nothing works, also there's no a single rule in the firewall showing pass, all logs only show blocked access...



  • Found a temporary solution to put it back the old RSV4000.



  • Are you sure you set your CIDR number correctly for your WAN ip address? You can verify this by trying to ping your wan's gateway ip address from within the pfSense web gui and selecting the WAN interface to use,,,then ping the wan gateway. This will at least tell you if you have connectivity to the wan gateway.
    This will be a starting point ,anyway.

    B



  • May also be worth re-trying it without the use of the virtual IPs in case it was during the addition of those that things broke.

    Basically, start with a simple config and work up until either it works, or you know what causes the problem (and then somebody may be able to fix it if it's a bug or help you resolve it if it isn't).



  • Source port is not the same as destination port, should be any.



  • First of all thanks to brcisna, Cry Havok, cmb, any help when you are about to get a axe to fix the glitch is great.

    I finally managed to work, I started from scratch with a reset to factory defaults. Use the same configuration for WAN and LAN, did not add VIP (yet). And of course all traffic was being block again. Then added a simple rules for incoming HTTP into a custom port 8088. Still not working, then delete the rules and did an port forward and only then the thing worked. It's strange, as before I added rules, and port forward was added too, but (and maybe I'm too sleep drunk as is 4:30am and I'm up since yesterday), but it seems that you need to add a port forward and let pfSense to create the rule in the firewall, I don't see what is the difference, but hey, if works it works.
    I'll go from here and after all the port forward/rules are working, I will start playing with VIP and 1-1 mapping (what was my initial objective in moving to pfSense anyway).

    Thanks
    K


Locked