Command line to gui, pf rules
-
Thanks, but I changed the source ports to 'any', still no luck.
It is sometimes necessary to reset firewall states after rule changes. See Diagnostics -> States, click on Reset States tab read and click on Reset button.
How are you testing? Sometimes people test port forwards from the LAN side of pfSense forgetting that the port forward applies to connects entering the box on the WAN interface.
-
I have been trying from outside of the network using external proxies.
I shall try with resetting the states and then let know.
-
Thanks, but I changed the source ports to 'any', still no luck.
It is sometimes necessary to reset firewall states after rule changes. See Diagnostics -> States, click on Reset States tab read and click on Reset button.
Thanks wallabybob for your help which made it finally. It is worth mentioning in the documentation to avoid confusion to the already confused ones like me (who came from simple command lines, where a simple reload of conf is enough). ;-)
A lesson learnt today!
-
Is there a special way to configure pfSense LAN and DMZ to work with hub and crossover cable?
Scenario to this question:
I am testing with crossover cable. Once DMZ and LAN works with a single machines attached to them, try to move pfSense box to production where DMZ and LAN are connected to hubs which are configured accordingly.
When I connect crossover cables to the DMZ and LAN zones, the internet connection is fine. Once any configured hub as per the LAN or DMZ subnet is connected, they could not reach the internet, nor port forward to DMZ machines work.
Is there a special way to make it work in pfSense GUI? Thanks!
-
That is a hardware thing. Newer hardware usually auto-detects the cable and sorts out swapping Tx/Rx pairs if needed - when you have a straight cable between 2 end-user systems. But on older hardware you have to use a crossover cable for a direct connect.
Switches are wired the opposite way to end-user systems - so a direct cable works, Tx on the switch is Rx on the end-user system and vice-versa.
General rules:- straight cable from end-user system to a switch
- crossover cable between end-user systems (or between switches)
- with modern hardware it often works anyway, whatever you do
-
@Phil: Thanks.
But I have all modern hardware. So it should work in principle. But not in reality, that is why I was wondering whether I need to further configure something.
pfSenseWAN portforwarded to DMZ >>connected with crossover cable >>webserver, WORKS.
pfSenseWAN portforwarded to DMZ >> connected to >> hub with direct cable >> webserver, Does not work.
Same with LAN (just replace DMZ with LAN, but not port forwarded, but DMZ is not allowed to LAN using firewall rules.
Where did I go wrong?
-
If they are just dumb hubs or switches, then they should work with straight cables from pfSense to switch and web server to switch. It has to be a dodgy cable, switch port or…
If it is a managed switch, with the possibility of making VLANs, turning ports on and off, limiting devices by MAC address... then that's another ball game, and you would have to make sure you know what is configured on the switch, or set it back to factory default "connect everything to everything mode".
Not sure I can be much more help remotely, as it does sound like a switch/connection/cable fault-finding exercise. -
To put it precisely, I am just trying to switch from shorewall+other command line UTM utitlies to pfSense for the ease of other members to configure the network.
The network is working without any problem with shorewall. Right now I am just swapping the cables from shorewall box to pfSense box to test. I do not think it is associated with any hardware or configs that is lying behind the pfSense box. It is something that I may be confused with the GUI.
Anyway, thanks Phil for taking your invaulable time to comment.
-
pfSenseWAN portforwarded to DMZ >> connected to >> hub with direct cable >> webserver, Does not work.
Do you mean HUB or SWITCH? A hub is not the same as a switch and I suspect that some combinations of FreeBSD NIC drivers and interfaces MIGHT have trouble negotiating data rates with HUBS.
Please post the output of pfSense shell commands with DMZ connected to hub with direct cable:```
/etc/rc.banner
ifconfig
netstat -i -b -dso we can see what types of interfaces you have and what has been negotiated. -
Tell us about the DMZ system(s). What state are their interfaces? Do they configure by DHCP?
I have seen cases where systems that get their configuration by DHCP go "offline" if disconnected for "too long": the DHCP client gives up permanently after a certain number of tries that don't solicit a response.