• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

How to allow only one computer from LAN to OPT interface

Scheduled Pinned Locked Moved Firewalling
18 Posts 3 Posters 7.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    sujyo1
    last edited by Nov 6, 2013, 5:08 AM Nov 6, 2013, 2:40 AM

    Hello pfsense guru please help me…
    New to pfsense. After config my firewall rules as follows (learn form diff forum). I can't access to my access points connected to OPT from my desk top connected to LAN interface. I am not able to configure my access points from my desktop. please advise me how to fix this and which rules are not needed...Thanks

    DASHBOARD

    WAN(DHCP)      up 1000baseT <full-duplex 192.168.0.13="" <br="">LAN                   up  1000baseT <full-duplex>192.168.1.1
    HOTSPOT          up  1000baseT <full-duplex>10.10.10.1

    Version 2.1-RELEASE (i386)
    built on Wed Sep 11 18:16:50 EDT 2013
    FreeBSD 8.3-RELEASE-p11

    You are on the latest version.
    Platform pfSense
    CPU Type Intel(R) Atom(TM) CPU N280 @ 1.66GHz
    2 CPUs: 1 package(s) x 1 core(s) x 2 HTT threads
    Uptime 21 Days 03 Hours 06 Minutes 46 Seconds
    Current date/time
    Tue Nov 5 20:08:09 CST 2013
    DNS server(s) 127.0.0.1
    97.64.183.164
    97.64.209.37
    192.168.0.1
    Last config change Thu Oct 31 21:04:46 CDT 2013

    FIREWALL RULES: LAN

    ID Proto Source Port Destination Port Gateway Queue Schedule Description
              *             *           * LAN Address 443 80 22 *   *               Anti-Lockout Rule
    IPv4+6 TCP/UDP LAN net * HOTSPOT net * * none   Allow LAN to HOTSPOT
    IPv4 * LAN net * * * * none   Default allow LAN to any rule

    FIREWALL RULES: OPT (HOTSPOT)

    ID  Proto           Source       Port Destination Port Gateway Queue Schedule Description

    allow IPv4+6 TCP/UDP HOTSPOT net * LAN net * * none   Allow LAN to HOTSPOT

    X IPv4+6 TCP/UDP HOTSPOT net * * 135 * none   HOTSPOT Block to NetBIOS

    X IPv4+6 TCP/UDP HOTSPOT net * * 137 - 139 * none   HOTSPOT Block to NetBIOS

    X IPv4 TCP/UDP HOTSPOT net * * 445 (MS DS) * none   HOTSPOT Block to NetBIOS

    X IPv4+6 TCP/UDP HOTSPOT net * HOTSPOT address 443 (HTTPS) * none HOTSPOT Block to Web GUI

    X IPv4+6 TCP/UDP HOTSPOT net * WAN address * * none   HOTSPOT Block to WAN Adress

    X IPv4+6 TCP/UDP HOTSPOT net * WAN net * * none   HOTSPOT Block to WAN subnet

    X IPv4+6 TCP/UDP * * LAN net * * none   Deny HOTSPOT Traffic to LAN

    allow IPv4 * * * WAN address * * none   Allow All Traffic

    allow IPv4+6 TCP/UDP HOTSPOT net * * * * none   Default allow OPT(HOTSPOT) to any rule</full-duplex></full-duplex></full-duplex>

    1 Reply Last reply Reply Quote 0
    • T
      timthetortoise
      last edited by Nov 6, 2013, 6:37 PM

      Going from your LAN rules, you should be able to access your OPT network simply from

      IPv4 *    LAN net    *    *    *    *    none         Default allow LAN to any rule 
      

      How are you testing whether you are able to access it? The rule

      allow IPv4+6 TCP/UDP    HOTSPOT net    *    LAN net    *    *    none         Allow LAN to HOTSPOT
      

      in your OPT1 interface should not be in there if you want to block OPT1 traffic to LAN. Remember that firewall rules apply to incoming packets unless it's a floating outgoing rule. As it is set up now, the firewall should be passing traffic from LAN to OPT1, and vice versa. You likely have a problem elsewhere, most likely in either your testing methodology or your routing.

      1 Reply Last reply Reply Quote 0
      • S
        sujyo1
        last edited by Nov 6, 2013, 11:44 PM Nov 6, 2013, 11:42 PM

        Thanks for reply timthetortoise.

        ''Going from your LAN rules, you should be able to access your OPT network''
        That's the problem… I am able to go on 10.10.10.1 form LAN (desktop), but some how I can't access to my access point (10.10.10.4 access point IP) from LAN. There are no other rules there...

        '' in your OPT1 interface should not be in there if you want to block OPT1 traffic to LAN ''
        yes I want to block OPT1 to LAN.

        '' You likely have a problem elsewhere, most likely in either your testing methodology or your routing ''
        I am testing https://10.10.10.4 in browser to log in to my access point. also try http://10.10.10.4 but no luck
        If I use https://10.10.10.1 then pfsense log in page show up.

        If you need other info please let me know...Thanks

        1 Reply Last reply Reply Quote 0
        • T
          timthetortoise
          last edited by Nov 7, 2013, 1:39 PM

          Is your default gateway set on the access point?

          1 Reply Last reply Reply Quote 0
          • S
            sujyo1
            last edited by Nov 8, 2013, 8:44 PM

            ''Is your default gateway set on the access point?''

            Here is my set up…

            ISP (cable)


            Cisco modem+router(DPC3825 DOCSIS 3.0 Wireless) set wire less off & dhcp enable 192.168.0.1


            pfsense box WAN set to auto ip


            LAN 192.168.1.1/24 connected to netgear managed 8 port gigabit switch GS108T-v2 for all hardwire 2 computers, dvr, tv


            OPt1 10.10.10.1/24 captive portal enable connected to netgear gigabit switch GS108 for all wireless 4 engenius access points ECB600 set to static ip 10.10.10.2,3,4,5


            pfsense packages installed

            Cron Services Available: 0.1.8 Installed: 0.1.7

            iperf Network Management 2.0.5

            pfBlocker Firewall 1.0.2

            Sarg Network Report  Installed: 2.3.6 pkg v.0.6.3

            squid  Network 2.7.9 pkg v.4.3.3

            Thanks…

            1 Reply Last reply Reply Quote 0
            • T
              timthetortoise
              last edited by Nov 8, 2013, 9:04 PM

              Again, what is the default gateway on your access points? If it's not 10.10.10.1, they will not be able to communicate with your 192.168.1.x network.

              1 Reply Last reply Reply Quote 0
              • S
                sujyo1
                last edited by Nov 8, 2013, 9:19 PM Nov 8, 2013, 9:10 PM

                ''Again, what is the default gateway on your access points? If it's not 10.10.10.1, they will not be able to communicate with your 192.168.1.x network.''

                YES all access point's default gateway is set to 10.10.10.1

                access point set up

                IP: 10.10.10.2
                DHCP: disable
                subnet: 255.255.255.0
                default gateway: 10.10.10.1
                dns: 10.10.10.1

                thanks…

                1 Reply Last reply Reply Quote 0
                • S
                  sujyo1
                  last edited by Nov 8, 2013, 9:35 PM

                  I am able to login into pfsense box from my desktop if i type https://10.10.10.1
                  I am able to ping access point 10.10.10.4 form my desk top !! but can't login in to access point!!

                  1 Reply Last reply Reply Quote 0
                  • L
                    l3lu3
                    last edited by Nov 10, 2013, 4:30 PM

                    When you try to browse to 10.10.10.4 what is the error given? Timeout? Rejected?

                    1 Reply Last reply Reply Quote 0
                    • S
                      sujyo1
                      last edited by Nov 10, 2013, 6:26 PM

                      Using Chrome

                      Oops! Google Chrome could not connect to 10.10.10.4

                      Try reloading: 10.­10.­10.­4

                      Using IE

                      This page can't be displayed

                      •Make sure the web address http://10.10.10.4 is correct.
                      •Look for the page with your search engine.
                      •Refresh the page in a few minutes.

                      Fix connection problems

                      1 Reply Last reply Reply Quote 0
                      • S
                        sujyo1
                        last edited by Nov 10, 2013, 6:33 PM

                        Pfsense box LAN interface is set to https
                        OPT1 interface is set to https but on OPT1 interface the Captive Portal is set to http.

                        Is this set up can cause this problem??

                        1 Reply Last reply Reply Quote 0
                        • S
                          sujyo1
                          last edited by Nov 12, 2013, 4:33 AM

                          Please….any pf guru help me on this issue this is real headache for me. trying since 3 days!
                          I remove all rules just keep the basic rules then restart box still can't log in in to access point!!!

                          1 Reply Last reply Reply Quote 0
                          • T
                            timthetortoise
                            last edited by Nov 12, 2013, 2:39 PM

                            Download nmap and do a port scan of the access point. Make sure HTTPS is actually showing up. If it's not, but other ports are and/or you can ping it without any special rules, you've got a problem not related to pfSense.

                            1 Reply Last reply Reply Quote 0
                            • S
                              sujyo1
                              last edited by Nov 12, 2013, 8:57 PM Nov 12, 2013, 8:55 PM

                              Thanks for reply…run scan interface-any, scan method-tcp, (can't run scan method-SYN)
                              also I set LAN & OPT1 both to http

                              Running: /usr/local/bin/nmap  -sT '10.9.88.2'

                              Starting Nmap 6.25 ( http://nmap.org ) at 2013-11-12 14:50 CST
                              Nmap scan report for 10.9.88.2
                              Host is up (0.0037s latency).
                              Not shown: 998 closed ports
                              PORT  STATE SERVICE
                              23/tcp open  telnet
                              80/tcp open  http
                              MAC Address: xx:xx:xx:xx:xx:xx(Senao International Co.)

                              Nmap done: 1 IP address (1 host up) scanned in 1.32 seconds

                              1 Reply Last reply Reply Quote 0
                              • T
                                timthetortoise
                                last edited by Nov 13, 2013, 3:31 AM

                                So since port 443 isn't open, why would you be able to connect to HTTPS? Try to connect to http://10.10.10.4

                                1 Reply Last reply Reply Quote 0
                                • S
                                  sujyo1
                                  last edited by Nov 13, 2013, 9:21 PM Nov 13, 2013, 9:01 PM

                                  Thanks for reply…

                                  Finally I have found the answer...my captive portal was the problem... so I just allow(pass through) my desktop's mac & adress in to captive portal setting and done...Thank you guys for your help

                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    timthetortoise
                                    last edited by Nov 13, 2013, 9:20 PM

                                    Unless you have settings on your client machine that you're not revealing, don't know what to tell you. Good luck with it.

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      sujyo1
                                      last edited by Nov 13, 2013, 9:23 PM

                                      Thanks for quick reply timthetortoise…

                                      Finally I have found the answer...my captive portal was the problem... so I just allow(pass through) my desktop's mac & adress in to captive portal setting and done...Thank you for your help

                                      1 Reply Last reply Reply Quote 0
                                      1 out of 18
                                      • First post
                                        1/18
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                        This community forum collects and processes your personal information.
                                        consent.not_received