Are my rules OK ?



  • Hi All,

    I need your expertise for following problem.

    Initial DHCP set up for a Lan1 was 128 available IPs ( 255.255.255.128), then it is need to expand to 256 available IPs.( 255.255.255.0)

    After this change any workstation which has old DHCP settings(.128) still able to connect to internet, however whichever has new settings(.0) fails to connect internet.Although it gets right IP address, right subnet, right default gateway and DNS number. So I focused the firewall rules which shown below.

    So I am wondering, if I am missing something in my firewall rules?
    Thank you in advance for your time.

    Permissions  Purpose                                              Protocol          Source       Port           Destination                    Port        Gateway
      Block          Blocking LAN1 to LAN2                       *               LAN1     *             LAN2                           *         *      
      Block          Blocking LAN1 to LAN3                       *               LAN1     *             LAN3                           *         *            
      Block          Blocking LAN1 to PFSense Webgui        TCP               LAN1     *             LAN1 Default gateway   80          *            
      Allow          Allowing LAN1 to traffic                       *               LAN1     *                *                                 *         *



  • Basic question, did you change the LAN1 CIDR from a /25 to a /24? If LAN1 in the rules below are an alias, did you change the alias to match the new subnet? Perhaps more specifics would help.



  • Hi,

    Thank you for your reply.

    There is no alias actually, I put LAN1, LAN2, LAN3 not to make you confuse with IPs. They represent 10.0.0.1, 10.0.1.1, and 10.0.2.1 respectively.I only changed the CIDR on interface page, and configure the DHCP according to that.

    Am I supposed to do more changes anywhere else ?

    Thanks



  • That depends on the firewall rules. If the LAN1 source is 10.0.0.1/25, then anything below 10.0.0.128 will be blocked. In which case you need to change the rule to 10.0.0.1/24 so that all traffic from 10.0.0.0-255 will be allowed. Your block rule needs to be adjusted as well.  You will also need to adjust any manual outbound NAT rules you have put in place.



  • HI,
    Thank your for your reply. You were right, Manual Outbound NAT was the issue. Thanks so muchl. Seems all good now.

    One last question regarding your other suggestions, if I assign a name to interface 10.0.0.1 as LAN1 and do the CIDR changes on interface level, do I still need to changes on rules in IP level ?



  • In your rules where you set 10.0.0.1/24, there is an option of LAN1 subnet instead of Network. this way if you change the CIDR,  you would only need to change interface, DHCP, and Manual outbound NAT. It is only one less, but it is also one less. Unfortunately, you cannot use alias in outbound NAT and DHCP is a manual setup any way.



  • Great !!!

    Again thanks a million for your help and time.


Log in to reply