Firewall LAN rule issue (basic config in doc))[SOLVED]



  • Hello, thanks for reading this I will try and not waste your time with unnecessary blabbering.
    The issue is, following;
    http://doc.pfsense.org/index.php/Example_basic_configuration
    Don´t seem to work, as in firewall only allow LAN to WAN traffic when the "Default allow LAN to any" rule is active.
    Yet as far as I can tell my general setup is Exactly the same as in countless guides as well as the wiki.
    So I suppose a simple problem easily overlooked?

    Any help is appreciated!

    2.0.2 PfSense
    nanobsd, embedded(with VGA) on regular i386 system
    DHCP used (for now)
    NAT is on Automatic (not changed from stock)
    No Virtual IP's used
    No Aliases added
    WAN rules are simple stock setup, (nothing changed)
    OPT1(DMZ) not in use until this is solved/not pertaining to question

    Lan rules:



  • Is your WAN using a private address of is it getting a live internet ip address?



  • @podilarius:

    Is your WAN using a private address of is it getting a live internet ip address?

    Thanks for your response!

    WAN(interface) is using(getting) a private address from a Cable Modem(Cisco) (not Bridged at the moment).

    Hmmm I'm thinking your on to something. (not completely sure what thou)
    Unless its the WAN rules (below) that´s wrong.



  • First wan rule is your problem, it's blocking any ip's inside this networks: 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16
    Disable that rule, but notice that, it's a bit different than regular rule



  • @Metu69salemi:

    First wan rule is your problem, it's blocking any ip's inside this networks: 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16
    Disable that rule, but notice that, it's a bit different than regular rule

    Ok, thanks I´m testing that now,(guessed that was what you where getting at)
    (removing, reseting, changing, that rule: and it is however not devised by myself but the one you get as a result by ticking the ; "Block private networks" and "Block bogon networks" box in the wan settings)

    It does seem like that should be an issue, however not seeing good results
    (no change with it on or of, even thou I understand it shouldn't be activated since its blocking the IP of the WAN interface.)

    Gonna clear states, etc. a few more times or something to be completely sure, still seems I need the allow all rule in LAN table to get anything out of LAN.



  • @PereatMundus:

    Ok, thanks I´m testing that now,(guessed that was what you where getting at)
    (removing, reseting, changing, that rule: and it is however not devised by myself but the one you get as a result by ticking the ; "Block private networks" and "Block bogon networks" box in the wan settings)

    Podilarius got the idea, I just "shouted from another table"

    @PereatMundus:

    It does seem like that should be an issue, however not seeing good results
    (no change with it on or of, even thou I understand it shouldn't be activated since its blocking the IP of the WAN interface.)

    Gonna clear states, etc. a few more times or something to be completely sure, still seems I need the allow all rule in LAN table to get anything out of LAN.

    Is your pfsense getting it's ip by dhcp and what ip-subnets you're using wan and lan? those can't be the same subnet



  • @Metu69salemi:

    @PereatMundus:

    Ok, thanks I´m testing that now,(guessed that was what you where getting at)
    (removing, reseting, changing, that rule: and it is however not devised by myself but the one you get as a result by ticking the ; "Block private networks" and "Block bogon networks" box in the wan settings)

    Podilarius got the idea, I just "shouted from another table"

    Ahh, was to excited someone replied to double check it was the same person. :)

    @Metu69salemi:

    @PereatMundus:

    It does seem like that should be an issue, however not seeing good results
    (no change with it on or of, even thou I understand it shouldn't be activated since its blocking the IP of the WAN interface.)

    Gonna clear states, etc. a few more times or something to be completely sure, still seems I need the allow all rule in LAN table to get anything out of LAN.

    Is your pfsense getting it's ip by dhcp and what ip-subnets you're using wan and lan? those can't be the same subnet

    Is your pfsense getting it's ip by dhcp:
    yes and no, tried Both, on DHCP now. no difference in my issues if its DHCP or not.

    what ip-subnets you're using wan and lan? those can't be the same subnet Wan is 192.168.0.0/16
    LAN is 192.168.1.0/16
    DMZ is 192.168.2.0/16

    Not the same

    Internet [Public IP] >[Cisco Broadband Cable Modem/Router]192.168.0.1>(DHCP)>192.168.0.0/16> PFsense WAN 192.168.0.10 > PfSense LAN Interface 192.168.1.1

    Or in a less silly way to put it:
    Cisco Cable modem/switch gives 192.168.0.0/16
    to PfSense WAN
    PfSense gives 192.168.1.0/16 to LAN
    and 192.168.2.0/16 to DMZ

    edit:
    I'm re-iterating the issue to try and keep things clear:
    Everything works fine.
    But Only when the Firewall Rule of Allow all is active on LAN interface

    And it would be nice not having it there :)



  • Ok…

    Seems I need to have much more patience with firewall when clearing states etc.
    After I took a looong time reseting each and every setting. (turn off/on) that I
    could possibly imagine having an influence over the problem.
    It all worked out..

    As in, my original problem and only issue is solved.
    Logically the first idea, should be done..( unchecking Block private networks ) (since one side Pfsense (wan) was 192.0.0/16 and the other 2 where 1.0/16 and 2.0/16) .
    But I fail to see why this setting did not matter when an Allow all from LAN Rule was present on the LAN interface.
    Logically shouldnt it completly turn of all traffic no matter what rules where chosen on LAN?

    In any case... I feel like I did the manuveour of Whacking the box with a software hammer and it magically started working(edit; russian style, although I´m a Swede)..
    A good and bad thing, cause I really wanna know why .. the blast thing just all started working -As I thought it would have from the beginning-

    Its always good to learn from mistakes, correlation … causation thing... hrmmm.

    Thanks to all who helped, If you got any idea why it just works, please let me know.  (did all the usual stuff after changing the setting, clear states reboot etc.)



  • @PereatMundus:

    Wan is 192.168.0.0/16
    LAN is 192.168.1.0/16
    DMZ is 192.168.2.0/16
    Not the same

    If your subnets are really /16, then they all are in same subnet. /24 are different subnets in this subnetting scheme.

    Edit: Typo



  • @Metu69salemi:

    @PereatMundus:

    Wan is 192.168.0.0/16
    LAN is 192.168.1.0/16
    DMZ is 192.168.2.0/16
    Not the same

    If your subnets are really /16, then they all are in same subnet. /24 are different subnets in this subnetting scheme.

    Edit: Typo

    So, it is. Sorry for being sloppy with the copy paste. I need more coffee :)
    Edit: and thanks for checking back with my progress with this :)


Log in to reply