Firewall - LAN rule



  • Me again :)

    Problem when I disable LAN rule to any I don't have internet
    INTERNET-NOK

    When I leave the rule enabled the internet is going fluently (I have based my rule in the following URL- http://doc.pfsense.org/index.php/Example_basic_configuration)
    INTERNET-OK

    2 NIC's available (WAN and LAN)
    LAN = 10.0.0.1/16
    WAN = ISP provider (DHCP)

    I'm pretty sure that my question is already answered in this section but I'm not able to find the right answer because most of the people are using far more complicated constructions that I do :)






  • You don't actually state what you're trying to do, but at the very least you need a DNS server accessible to the computers on the LAN - port 53 TCP and UDP.



  • Based on this one http://doc.pfsense.org/index.php/Example_basic_configuration

    I thought it would be usefull to allow just the traffic needed from the LAN to WAN…



  • That's exactly the right approach, but you need to ensure that all the basics work. DNS is absolutely essential and while you've allowed the FTP control port through, you haven't allowed enough for FTP to actually work. Then you've allowed IMAP and POP3, but not their SSL variants (ports 993 and 995 from memory).

    Start by ensuring that your LAN DNS server can communicate. Then you may want to consider running a packet capture (summarised will do) for at least a full day then pull out all the remote ports used. You can use that list to identify what you really need to let out. My personal experience is that the simplest approach is:

    1. Have a single DNS server on the network and allow it through the firewall
    2. Install a proxy server
    3. Don't allow 25/TCP outbound, but 587/TCP (mail submission) to cut down the risk of being a spam source
    4. Allow POP3 and IMAP on both their plain/TLS and SSL ports

    At that point you've covered most of the business centric uses, though you may also want to set pfSense as an NTP server and have the hosts on the LAN use it for their time source (all current versions of Windows have NTP support built in and configured to use Microsoft's servers by default).


  • LAYER 8 Global Moderator

    And do you need IMAP, and or POP3??  That is a simple example of how to create different rules.  Guess I should edit to list DNS - because it seems that is not obvious enough that you would have to be able to resolve stuff to get get there ;)

    If you want to lock down your internet access, then you need to understand what port YOU and your users require, there is not going to be some standard config that works for all cases, etc.

    If what you want is basic browse the internet, then allow 80 and 443 tcp.  And your going to need dns to resolve those websites - is pfsense acting as your dns then you can set your rule to tcp/udp 53 to lan address, if pfsense is not your dns.  then set it to tcp/udp 53 any.

    edit: edited the article to state you need to allow for DNS..  Not the cleanest wording, but should get the message across.



  • Already !!!!

    I've finally elimanate the LAN to ANY rule and internet is still working :)
    check this one out :) *** pfsense-012 ***

    Hehe one for the road (maybe stupid one but keep in mind me NOOB  ???

    Should I have WAN rules also  ? Or WAN is Provider ISP so let's go ?
    *** pfsense-013 ***

    Thank you all for reading and answering hopefully somebody is also getting better of this post :)






  • Do go read the fine documentation found from the pfSense home page ;)

    The basics look good, but FTP still won't work since it requires multiple ports. You may want to read up on it to find out how it works and why getting it working through a restrictive firewall is non-trivial.

    As for the WAN interface - you only need rules there if you're running services from your network, providing them to devices on the Internet.


  • LAYER 8 Global Moderator

    Again I don't think you have a clue to what you actually need..  So you have 25 open - are you using that?  Do you even know what smtp is?

    So someone mentions the SSL versions of pop and imap and you open those??  Do you NEED THEM?

    Generally speaking for a HOME connection there is little reason to edit the default allow all rule.. Since you clearly don't understand what your clicking on, your just asking for trouble down the road when something you want to work doesn't work.



  • Exuse me if I'm no pfsense or network guru  ???

    Basically what I'm trying to do is see what is possible … The future is hosting multiple drupal sites on a virtual platform ...

    I'm perfectly aware that there are more ports open than needed

    By the way -> SMTP = Simple Mail Transfer Protocol (send mail through internet)

    @Cry Havok thank you to be patient


Log in to reply