WiFiOPT1 interface cant reach internet

sloan

I want to allow a wireless AP net access from OPT1

This is the rule for the WiFiOPT1 interface I want this to go straight to the internet not to the LAN

What am i doing wrong?

FIREWALL RULES fir WiFiOPT1
TCP  WiFiOPT1 net  *  ! LAN net  *  *

WAN

*  RFC 1918 networks  *  *  *  *  Block private networks

TCP  *  *  192.168.1.1  80 (HTTP)  *  NAT Opening Remote GUI access for PFS

TCP  *  *  192.168.2.1  25 (SMTP)  *  NAT NAT allow smtp to mail server

TCP  *  *  192.168.2.1  80 (HTTP)  *  NAT NAT allow http to GEARNET

TCP  *  *  192.168.2.5  80 (HTTP)  *  NAT Forwarded to SugarCRM

LAN
*  LAN net  *  *  *  *

Firewall: NAT: Port Forward

WAN  TCP  22 (SSH)  192.168.2.239
(ext.: 66.74.666.999) 22 (SSH) NAT allow SSH to NSLU server

WAN TCP 80 (HTTP) 192.168.2.239
(ext.: 66.74.666.999) 80 (HTTP) NAT allow http to NSLU  server

WAN TCP 8080  192.168.2.5
(ext.: 66.74.999.999) 80 (HTTP) Forwarded to SugarCRM

hoba

Are you sure you only want to allow tcp but not icmp, udp and so on? Change the protocol to any in your optwifi rule. Guess you just have issues pinging as you don't allow icmp and with nameresolution as you not allow udp.

sloan

oops  that was really set to any, as it is now.  I copied it when I was testing switching it around, testing other options etc..

I can ping VIA pfsense ssh to the server in the DMZ.  so I know the NIC  works.  But some other config is messed up.

I read the monowall tutorial on DMZ'S that is where I got that firewall rule from.

Do you have any other suggestions?

sai

you haven't stated what the problem is.

sloan

I could be more clear, so here goes.    Here is what i stated above      "I want to allow a wireless AP net access from OPT1"

I can't ping out of the OPT1 interface to the internet.  I can ping from pf through the OPT1 interface to the DMZ server.  So the nic works.

I read the monowall tutrorial for DMZ's and implemented the firewall rules to allow access to the DMZ to the net.  But they are not working in my implementation.

Thanks in advance for any help and for the above replies.

sloan

Here is what I did to fix this.  I reinstalled pf in a live production environment.  I had live hosts attached to all 4 NIC ports.  When I tried to implement the firewall rule as listed in the monowall DMZ tutorial without live hosts attached the NIC would not allow any traffic to the NET.  the NIC's would allow traffic from the pf ssh console to the LAN'S not the other way.  I would normally say pf would not need a live host but this is the third time I tried I fresh install.  The third was a charm.  And only on the third time did i have a live host attached,  so who knows?
I started with allowing all to all on the LAN2 and LAN3  NIC'S.  Once I knew they were allowing traffic to the net and each other I tightened them down with allow any traffic to the NET and not the other LAN'S.  Similar to a DMZ.

Right before the new install I was getting some strange firewall errors in the log.  I tried to correct and then went for a fresh install.

Now I can have WiFi on its own LAN straight to the net,  no access to the other LAN'S.  ;D 8)

jeroen234

sounds like you had made a bridge somewhere
but dit not had all conections of the bridge pluged in
so then the bridge is broken and will not work

sloan

Yes that probably had something to do with it.  In the configuration I had in the past bridged some interfaces.  It is possible that I did not unbridge them.  Who knows I thought that I did?