Rules for webgui doesnt seem to work across interfaces!
-
Hello
I use these settings for all of my network interfaces without LAN:http://blog.stefcho.eu/wp-content/uploads/2011/06/pfSense-2.0-RC1-Configure-Captive-Portal-for-Guests-FireWall-Rules-00.pngLan 10.10.10.10 (got default setting from pfense install)
Guest1:10.10.10.20 (settings from the link)
Guest2:10.10.10.30 (settings from the link)Why can I still access the webgui in one interface to another after I have used these settings?
Example im in the Guest1 interface, the rules are working and I cannot get to the webui with this adress:10.10.10.20 or 10.10.10.10 ok its working! But when im trying to access 10.10.10.30 i get full access what to do?
The same thing happens when im in Guest2 interface. I cannot access webgui with 10.10.10.30 or 10.10.10.10 but i can still access the webgui with 10.10.10.20.
Thanks
-
Because you haven't blocked it! ;)
Rather than adding lots of rules this is a good situation to use an alias.
Create a new alias, I called it LOCAL, add all your local subnets to it.
Then change your 'Block Web GUI' rule to:Protocol: TCP
Source: Guests net
Destination: LOCAL
Port: 443There are many ways of accomplishing this, as long as it's logically correct use whatever is most readable for yourself. Fewer rules take less cpu cycles to process.
Steve
-
ah Ok:p
I took a picture you posted in an older post and past it here:P
Why did you choose 192.168.0.0
If my lan: is 192.168.1.1
Guest1:192.168.2.1
Guest2:192.168.3.1
Server:192.168.4.1Will i then use 192.168.0.0 as alias or will i use 192.168.1.0 or will I use all four:
192.168.1.1 and 192.168.2.1 192.168.3.1 and 192.168.4.1And why have you used netmask 16? (192.168.0.0/16)
Thanks
-
@Bebopper:
Why did you choose 192.168.0.0
Because I'm lazy. :P
192.168.0.0/16 is a subnet including all of 192.168..
So it includes all of my local interface subnets. It also includes a load of address space I'm not using which is bad. A better way is to enter each subnet individually so that only your used space is in the alias but this is quicker and I'm lazy. ;)Steve
-
hehe
Im sorry for my late answer I havent have time before know!
Thanks !!
Then I learned something new!
