Firewall rule limiting WAN access with limiter and L7

jan.gestre · Sep 19, 2011, 7:04 AM

Hi Everyone,

I've recently installed the newly release 2.0 and I'm trying to reconfigure the firewall rules. The said firewall rules are working as per 1.2.3 release however when applied to the new version, it's not, that is why I'm starting from scratch. The default LAN to any rule works just fine, but when I tried to edit e.g. instead of all protocols I've limited it to TCP, also limited the ports (80,443), when I save and apply the new rule, no one from LAN can access the net anymore.

I've also tried revising it by allowing all ports using TCP/UDP, also added limiter rule (500Kbps for torrents), unfortunately this does not work too. I don't know if I'm missing a step or something here, could someone please help me out accomplishing the rules I've mentioned.

Many thanks!

marcelloc · Sep 19, 2011, 2:29 PM

First Fix rules then try to apply shapping.

jan.gestre · Sep 20, 2011, 2:00 AM

@marcelloc:

First Fix rules then try to apply shapping.

Please see screenshot of my simple LAN firewall rules as well as the aliases of the allowed ports, whenever I enable this rule and disable the default LAN to any, the LAN subnet looses the internet connection, the only thing positive is that I can ping outside host like Google from the pfSense box.

Any idea why? It's so simple but I can't figure it out.

![LAN firewall rules in v2.png](/public/imported_attachments/1/LAN firewall rules in v2.png)
![LAN firewall rules in v2.png_thumb](/public/imported_attachments/1/LAN firewall rules in v2.png_thumb)
![Aliases in v2.png](/public/imported_attachments/1/Aliases in v2.png)
![Aliases in v2.png_thumb](/public/imported_attachments/1/Aliases in v2.png_thumb)

marcelloc · Sep 20, 2011, 2:36 AM

create a rule for icmp if you want it working.
create a rule to permit clients to do dns queries (53 udp for your dns server).
If your dns server is a host at lannet, create a rule at lan to permit this host query dns over internet

jan.gestre · Sep 20, 2011, 2:55 AM

@marcelloc:

create a rule for icmp if you want it working.
create a rule to permit clients to do dns queries (53 udp for your dns server).
If your dns server is a host at lannet, create a rule at lan to permit this host query dns over internet

Followed your suggestions, created new rule allowing UDP port 53 access from LAN (see new screenshot), but it's still no dice, LAN can't connect to the internet. As per pfSense 1.2.3 release I don't have to create this new rule, pfSense uses the defined DNS servers during setup i.e. 208.67.222.222, unfortunately this does not work in v2.0 and I don't know why. BTW, I'm using Unbound DNS if that matters.

![LAN firewall rules in v2 - new.png](/public/imported_attachments/1/LAN firewall rules in v2 - new.png)
![LAN firewall rules in v2 - new.png_thumb](/public/imported_attachments/1/LAN firewall rules in v2 - new.png_thumb)

marcelloc · Sep 20, 2011, 3:11 AM

The setup looks fine to me.

Make some package captures at lan and wan and see if you find something wrong.

jan.gestre · Sep 20, 2011, 3:34 AM

@marcelloc:

The setup looks fine to me.

Make some package captures at lan and wan and see if you find something wrong.

This is weird! Just re-enabled the new LAN firewall rules illustrated earlier, and did the only thing I haven't done so far, i.e. reboot the box, and voila! The new LAN rules are working. Another thing I found odd is that I have to create a rule allowing DNS access to the LAN subnet, which is not necessary in the 1.2.3 release.

Will shift focus on the limiter part and L7 and get it to work, last limiter and L7 rule I created made the connection crawl.