• Hi Everybody,
    I am new to pfsense, i have configured pfsense 2.0 with 2 networks
    my configuration is like this- 1)  Local Lan 192.168.100.0  2) second lan which is configured remote site 192.168.10.0
    i just configured this two lans to access internet both are configured well but now my second lan which is at far end of router is not able access HTTPS request for e.g. https://www.gmail.com
    any request for https port is not retrieving.
    an i am able to ping gmail.com
    Please help…..
    Thanks in advance


  • That could either be a routing problem, or a firewall rule problem. However as you've told us next to nothing, anybody providing suggestions will be guessing.

    Can you start by providing screenshots of the interface settings and firewall rules for both interfaces please.


  • @Cry:

    That could either be a routing problem, or a firewall rule problem. However as you've told us next to nothing, anybody providing suggestions will be guessing.

    Can you start by providing screenshots of the interface settings and firewall rules for both interfaces please.

    i am attaching another files…







  • @Cry:

    That could either be a routing problem, or a firewall rule problem. However as you've told us next to nothing, anybody providing suggestions will be guessing.

    Can you start by providing screenshots of the interface settings and firewall rules for both interfaces please.




  • Netgate Administrator

    Hmm, unusual configuration you have.

    Your virtual IP is on the LAN interface? It should probably be /24 not /32.

    Try to connect to an https site then check the firewall logs.

    Having never tried this type of configuration I'm not sure whether 'LAN subnet' extends to include the subnet of a virtual IP on lan.  :-\ This would be my first suspect however.

    Steve


  • The first problem I see is that the virtual IP is a /32. This means it can only talk to itself. The second is the firewall rules has a source port and destination port of 443. This is not how it works. The originating machine will randomly pick a port higher than 1024 (1925-65534) to initiate the communication. So if the remote system is https server, then you are going to setup the rule to be source: any, src port: any, destination: <ipaddress>, dest port: 443. If you are not paranoid, then there is an option in Advanced -> Firewall to bypass rule on the same interface, then you will only need to correct the network error.</ipaddress>


  • @stephenw10:

    Hmm, unusual configuration you have.

    Your virtual IP is on the LAN interface? It should probably be /24 not /32.

    Try to connect to an https site then check the firewall logs.

    Having never tried this type of configuration I'm not sure whether 'LAN subnet' extends to include the subnet of a virtual IP on lan.  :-\ This would be my first suspect however.

    Steve

    Your right, I didn't notice that the default allow rule for LAN was at the top. That nullifies the bad FW rule to the server, but you are going to have to create a rule if you are wanting to get out from this other network. Also, you might have to use advanced outbound NAT as well.


  • @stephenw10:

    Hmm, unusual configuration you have.

    Your virtual IP is on the LAN interface? It should probably be /24 not /32.

    Try to connect to an https site then check the firewall logs.

    Having never tried this type of configuration I'm not sure whether 'LAN subnet' extends to include the subnet of a virtual IP on lan.  :-\ This would be my first suspect however.

    Steve

    Thanks for your reply but i could not be able to change it to 24 it is disabled…


  • @podilarius:

    The first problem I see is that the virtual IP is a /32. This means it can only talk to itself. The second is the firewall rules has a source port and destination port of 443. This is not how it works. The originating machine will randomly pick a port higher than 1024 (1925-65534) to initiate the communication. So if the remote system is https server, then you are going to setup the rule to be source: any, src port: any, destination: <ipaddress>, dest port: 443. If you are not paranoid, then there is an option in Advanced -> Firewall to bypass rule on the same interface, then you will only need to correct the network error.</ipaddress>

    Thanks podilarius,
    i did it…
    its working now , i changed firewall rule as you said src port any destination port 443 and it is now working.
    but the thing is i am not able to change virtual ip's network to 24 it is disabled.

    thanks in advance.

  • Netgate Administrator

    What 'type' of virtual IP are you using?
    If you use 'IP Alias', which is what I would think you should be using, you should be able to specify /24.

    Though if it's working for you perhaps just leave it!  ;)

    Steve