Howto setup ruleset



  • Hi guys,

    Newbie on the forum. But not a newbie at firewalling. We are changing from Kerio Control 7 to pfSense and have difficulties starting up. After the installation of 2.0RC3 we can't get traffic through to the LAN interface. Outbound works ok but needs reconfig in the future to limit outbound protocols. But we urgently need inbound traffic for eg VNC, RDP, a billboard http.

    We have 3 NIC, LAN and 2 ISP's.
    Testing with WAN1 and an rule which enables certain IP's to VNC to a inside machine. (first rule) Rule looks ok but no vnc session. Logfile inidicates traffic is accepted but the WAN1 IP is mentioned and a user rule of Networkadmin any-any. (second rule) So no vnc and matching of rules is incorrect.

    Attached the rule on the WAN1 link

    What is wrong?
    How should we test?
    Why is there no howto on the config of rules. Docu/wiki is not good about this.
    ![Schermafbeelding 2011-09-09 om 10.24.37.png](/public/imported_attachments/1/Schermafbeelding 2011-09-09 om 10.24.37.png)
    ![Schermafbeelding 2011-09-09 om 10.24.37.png_thumb](/public/imported_attachments/1/Schermafbeelding 2011-09-09 om 10.24.37.png_thumb)





  • Thanks for the articles! Firewall troubles I know and read.

    Portforward article - all know and done except… Do we need a Virtual IP?
    (7. Incorrect or missing Virtual IP configuration for additional public IP addresses.)

    Howto forward port, I start reading (RTFM) I started with RTFM....  ;D

    I think we need NAT rule. With Kerio this easier and PFS needs separates rules?



  • Yes NAT rules and firewall rules are two separate sets.
    If you're using 2.0 you can link two such rules. (checkbox at the bottom).

    You only need Virtual IPs if you have more than 1 IP on your WAN.

    This might also apply to your case:
    http://doc.pfsense.com/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F



  • Arghh, I can't get it to work.

    I added a NAT rule and it made a FW rule automatic. What else do I need?

    I configured it on the WAN-link I want to use. In NAT I enabled NAT reflection but I don't need it because I connect from WAN to LAN. Not LAN to WAN.

    I read the articles and only How can I forward applies. Except it describes in detail version 123, not 2.0.

    ![Schermafbeelding 2011-09-09 om 17.47.31.png](/public/imported_attachments/1/Schermafbeelding 2011-09-09 om 17.47.31.png)
    ![Schermafbeelding 2011-09-09 om 17.47.31.png_thumb](/public/imported_attachments/1/Schermafbeelding 2011-09-09 om 17.47.31.png_thumb)
    ![Schermafbeelding 2011-09-09 om 17.48.00.png](/public/imported_attachments/1/Schermafbeelding 2011-09-09 om 17.48.00.png)
    ![Schermafbeelding 2011-09-09 om 17.48.00.png_thumb](/public/imported_attachments/1/Schermafbeelding 2011-09-09 om 17.48.00.png_thumb)



  • Dont set a source port in both your NAT rule and your firewall rule.
    Just leave it to any.

    Source ports are a random number >1024



  • Yes, we have got movement in the rules. Vnc works! Thanks for your help.
    Now gradually moving machines and rules to pfs. Default gateway change.

    Also we have to get it working with 2 isp's


Log in to reply