WiFiOPT1 interface cant reach internet



  • I want to allow a wireless AP net access from OPT1

    This is the rule for the WiFiOPT1 interface I want this to go straight to the internet not to the LAN

    What am i doing wrong?

    FIREWALL RULES fir WiFiOPT1
    TCP  WiFiOPT1 net  *  ! LAN net  *  *

    WAN

    *  RFC 1918 networks  *  *  *  *  Block private networks

    TCP  *  *  192.168.1.1  80 (HTTP)  *  NAT Opening Remote GUI access for PFS

    TCP  *  *  192.168.2.1  25 (SMTP)  *  NAT NAT allow smtp to mail server

    TCP  *  *  192.168.2.1  80 (HTTP)  *  NAT NAT allow http to GEARNET

    TCP  *  *  192.168.2.5  80 (HTTP)  *  NAT Forwarded to SugarCRM

    LAN
    *  LAN net  *  *  *  *

    Firewall: NAT: Port Forward

    WAN  TCP  22 (SSH)  192.168.2.239
    (ext.: 66.74.666.999) 22 (SSH) NAT allow SSH to NSLU server

    WAN TCP 80 (HTTP) 192.168.2.239
    (ext.: 66.74.666.999) 80 (HTTP) NAT allow http to NSLU  server

    WAN TCP 8080  192.168.2.5
    (ext.: 66.74.999.999) 80 (HTTP) Forwarded to SugarCRM



  • Are you sure you only want to allow tcp but not icmp, udp and so on? Change the protocol to any in your optwifi rule. Guess you just have issues pinging as you don't allow icmp and with nameresolution as you not allow udp.



  • oops  that was really set to any, as it is now.  I copied it when I was testing switching it around, testing other options etc..

    I can ping VIA pfsense ssh to the server in the DMZ.  so I know the NIC  works.  But some other config is messed up.

    I read the monowall tutorial on DMZ'S that is where I got that firewall rule from.

    Do you have any other suggestions?



  • you haven't stated what the problem is.



  • I could be more clear, so here goes.    Here is what i stated above      "I want to allow a wireless AP net access from OPT1"

    I can't ping out of the OPT1 interface to the internet.  I can ping from pf through the OPT1 interface to the DMZ server.  So the nic works.

    I read the monowall tutrorial for DMZ's and implemented the firewall rules to allow access to the DMZ to the net.  But they are not working in my implementation.

    Thanks in advance for any help and for the above replies.



  • Here is what I did to fix this.  I reinstalled pf in a live production environment.  I had live hosts attached to all 4 NIC ports.  When I tried to implement the firewall rule as listed in the monowall DMZ tutorial without live hosts attached the NIC would not allow any traffic to the NET.  the NIC's would allow traffic from the pf ssh console to the LAN'S not the other way.  I would normally say pf would not need a live host but this is the third time I tried I fresh install.  The third was a charm.  And only on the third time did i have a live host attached,  so who knows?
    I started with allowing all to all on the LAN2 and LAN3  NIC'S.  Once I knew they were allowing traffic to the net and each other I tightened them down with allow any traffic to the NET and not the other LAN'S.  Similar to a DMZ.

    Right before the new install I was getting some strange firewall errors in the log.  I tried to correct and then went for a fresh install.

    Now I can have WiFi on its own LAN straight to the net,  no access to the other LAN'S.  ;D 8)



  • sounds like you had made a bridge somewhere
    but dit not had all conections of the bridge pluged in
    so then the bridge is broken and will not work



  • Yes that probably had something to do with it.  In the configuration I had in the past bridged some interfaces.  It is possible that I did not unbridge them.  Who knows I thought that I did?


Log in to reply