Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Howto setup ruleset

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      Guest
      last edited by

      Hi guys,

      Newbie on the forum. But not a newbie at firewalling. We are changing from Kerio Control 7 to pfSense and have difficulties starting up. After the installation of 2.0RC3 we can't get traffic through to the LAN interface. Outbound works ok but needs reconfig in the future to limit outbound protocols. But we urgently need inbound traffic for eg VNC, RDP, a billboard http.

      We have 3 NIC, LAN and 2 ISP's.
      Testing with WAN1 and an rule which enables certain IP's to VNC to a inside machine. (first rule) Rule looks ok but no vnc session. Logfile inidicates traffic is accepted but the WAN1 IP is mentioned and a user rule of Networkadmin any-any. (second rule) So no vnc and matching of rules is incorrect.

      Attached the rule on the WAN1 link

      What is wrong?
      How should we test?
      Why is there no howto on the config of rules. Docu/wiki is not good about this.
      ![Schermafbeelding 2011-09-09 om 10.24.37.png](/public/imported_attachments/1/Schermafbeelding 2011-09-09 om 10.24.37.png)
      ![Schermafbeelding 2011-09-09 om 10.24.37.png_thumb](/public/imported_attachments/1/Schermafbeelding 2011-09-09 om 10.24.37.png_thumb)

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        http://doc.pfsense.com/index.php/How_can_I_forward_ports_with_pfSense%3F
        http://doc.pfsense.com/index.php/Port_Forward_Troubleshooting
        http://doc.pfsense.com/index.php/Firewall_Rule_Troubleshooting

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • ?
          Guest
          last edited by

          Thanks for the articles! Firewall troubles I know and read.

          Portforward article - all know and done except… Do we need a Virtual IP?
          (7. Incorrect or missing Virtual IP configuration for additional public IP addresses.)

          Howto forward port, I start reading (RTFM) I started with RTFM....  ;D

          I think we need NAT rule. With Kerio this easier and PFS needs separates rules?

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            Yes NAT rules and firewall rules are two separate sets.
            If you're using 2.0 you can link two such rules. (checkbox at the bottom).

            You only need Virtual IPs if you have more than 1 IP on your WAN.

            This might also apply to your case:
            http://doc.pfsense.com/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • ?
              Guest
              last edited by

              Arghh, I can't get it to work.

              I added a NAT rule and it made a FW rule automatic. What else do I need?

              I configured it on the WAN-link I want to use. In NAT I enabled NAT reflection but I don't need it because I connect from WAN to LAN. Not LAN to WAN.

              I read the articles and only How can I forward applies. Except it describes in detail version 123, not 2.0.

              ![Schermafbeelding 2011-09-09 om 17.47.31.png](/public/imported_attachments/1/Schermafbeelding 2011-09-09 om 17.47.31.png)
              ![Schermafbeelding 2011-09-09 om 17.47.31.png_thumb](/public/imported_attachments/1/Schermafbeelding 2011-09-09 om 17.47.31.png_thumb)
              ![Schermafbeelding 2011-09-09 om 17.48.00.png](/public/imported_attachments/1/Schermafbeelding 2011-09-09 om 17.48.00.png)
              ![Schermafbeelding 2011-09-09 om 17.48.00.png_thumb](/public/imported_attachments/1/Schermafbeelding 2011-09-09 om 17.48.00.png_thumb)

              1 Reply Last reply Reply Quote 0
              • GruensFroeschliG
                GruensFroeschli
                last edited by

                Dont set a source port in both your NAT rule and your firewall rule.
                Just leave it to any.

                Source ports are a random number >1024

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • ?
                  Guest
                  last edited by

                  Yes, we have got movement in the rules. Vnc works! Thanks for your help.
                  Now gradually moving machines and rules to pfs. Default gateway change.

                  Also we have to get it working with 2 isp's

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.