How to allow only one computer from LAN to OPT interface

sujyo1 · Nov 6, 2013, 5:08 AM

Hello pfsense guru please help me…
New to pfsense. After config my firewall rules as follows (learn form diff forum). I can't access to my access points connected to OPT from my desk top connected to LAN interface. I am not able to configure my access points from my desktop. please advise me how to fix this and which rules are not needed...Thanks

DASHBOARD

WAN(DHCP) up 1000baseT <full-duplex 192.168.0.13="" <br="">LAN up 1000baseT <full-duplex>192.168.1.1
HOTSPOT up 1000baseT <full-duplex>10.10.10.1

Version 2.1-RELEASE (i386)
built on Wed Sep 11 18:16:50 EDT 2013
FreeBSD 8.3-RELEASE-p11

You are on the latest version.
Platform pfSense
CPU Type Intel(R) Atom(TM) CPU N280 @ 1.66GHz
2 CPUs: 1 package(s) x 1 core(s) x 2 HTT threads
Uptime 21 Days 03 Hours 06 Minutes 46 Seconds
Current date/time
Tue Nov 5 20:08:09 CST 2013
DNS server(s) 127.0.0.1
97.64.183.164
97.64.209.37
192.168.0.1
Last config change Thu Oct 31 21:04:46 CDT 2013

FIREWALL RULES: LAN

ID Proto Source Port Destination Port Gateway Queue Schedule Description
* * * LAN Address 443 80 22 * * Anti-Lockout Rule
IPv4+6 TCP/UDP LAN net * HOTSPOT net * * none Allow LAN to HOTSPOT
IPv4 * LAN net * * * * none Default allow LAN to any rule

FIREWALL RULES: OPT (HOTSPOT)

ID Proto Source Port Destination Port Gateway Queue Schedule Description

allow IPv4+6 TCP/UDP HOTSPOT net * LAN net * * none Allow LAN to HOTSPOT

X IPv4+6 TCP/UDP HOTSPOT net * * 135 * none HOTSPOT Block to NetBIOS

X IPv4+6 TCP/UDP HOTSPOT net * * 137 - 139 * none HOTSPOT Block to NetBIOS

X IPv4 TCP/UDP HOTSPOT net * * 445 (MS DS) * none HOTSPOT Block to NetBIOS

X IPv4+6 TCP/UDP HOTSPOT net * HOTSPOT address 443 (HTTPS) * none HOTSPOT Block to Web GUI

X IPv4+6 TCP/UDP HOTSPOT net * WAN address * * none HOTSPOT Block to WAN Adress

X IPv4+6 TCP/UDP HOTSPOT net * WAN net * * none HOTSPOT Block to WAN subnet

X IPv4+6 TCP/UDP * * LAN net * * none Deny HOTSPOT Traffic to LAN

allow IPv4 * * * WAN address * * none Allow All Traffic

allow IPv4+6 TCP/UDP HOTSPOT net * * * * none Default allow OPT(HOTSPOT) to any rule</full-duplex></full-duplex></full-duplex>

timthetortoise · Nov 6, 2013, 6:37 PM

Going from your LAN rules, you should be able to access your OPT network simply from

IPv4 *    LAN net    *    *    *    *    none         Default allow LAN to any rule

How are you testing whether you are able to access it? The rule

allow IPv4+6 TCP/UDP    HOTSPOT net    *    LAN net    *    *    none         Allow LAN to HOTSPOT

in your OPT1 interface should not be in there if you want to block OPT1 traffic to LAN. Remember that firewall rules apply to incoming packets unless it's a floating outgoing rule. As it is set up now, the firewall should be passing traffic from LAN to OPT1, and vice versa. You likely have a problem elsewhere, most likely in either your testing methodology or your routing.

sujyo1 · Nov 6, 2013, 11:44 PM

Thanks for reply timthetortoise.

''Going from your LAN rules, you should be able to access your OPT network''
That's the problem… I am able to go on 10.10.10.1 form LAN (desktop), but some how I can't access to my access point (10.10.10.4 access point IP) from LAN. There are no other rules there...

'' in your OPT1 interface should not be in there if you want to block OPT1 traffic to LAN ''
yes I want to block OPT1 to LAN.

'' You likely have a problem elsewhere, most likely in either your testing methodology or your routing ''
I am testing https://10.10.10.4 in browser to log in to my access point. also try http://10.10.10.4 but no luck
If I use https://10.10.10.1 then pfsense log in page show up.

If you need other info please let me know...Thanks

timthetortoise · Nov 7, 2013, 1:39 PM

Is your default gateway set on the access point?

sujyo1 · Nov 8, 2013, 8:44 PM

''Is your default gateway set on the access point?''

Here is my set up…

ISP (cable)

Cisco modem+router(DPC3825 DOCSIS 3.0 Wireless) set wire less off & dhcp enable 192.168.0.1

pfsense box WAN set to auto ip

LAN 192.168.1.1/24 connected to netgear managed 8 port gigabit switch GS108T-v2 for all hardwire 2 computers, dvr, tv

OPt1 10.10.10.1/24 captive portal enable connected to netgear gigabit switch GS108 for all wireless 4 engenius access points ECB600 set to static ip 10.10.10.2,3,4,5

pfsense packages installed

Cron Services Available: 0.1.8 Installed: 0.1.7

iperf Network Management 2.0.5

pfBlocker Firewall 1.0.2

Sarg Network Report Installed: 2.3.6 pkg v.0.6.3

squid Network 2.7.9 pkg v.4.3.3

Thanks…

timthetortoise · Nov 8, 2013, 9:04 PM

Again, what is the default gateway on your access points? If it's not 10.10.10.1, they will not be able to communicate with your 192.168.1.x network.

sujyo1 · Nov 8, 2013, 9:19 PM

''Again, what is the default gateway on your access points? If it's not 10.10.10.1, they will not be able to communicate with your 192.168.1.x network.''

YES all access point's default gateway is set to 10.10.10.1

access point set up

IP: 10.10.10.2
DHCP: disable
subnet: 255.255.255.0
default gateway: 10.10.10.1
dns: 10.10.10.1

thanks…

sujyo1 · Nov 8, 2013, 9:35 PM

I am able to login into pfsense box from my desktop if i type https://10.10.10.1
I am able to ping access point 10.10.10.4 form my desk top !! but can't login in to access point!!

l3lu3 · Nov 10, 2013, 4:30 PM

When you try to browse to 10.10.10.4 what is the error given? Timeout? Rejected?

sujyo1 · Nov 10, 2013, 6:26 PM

Using Chrome

Oops! Google Chrome could not connect to 10.10.10.4

Try reloading: 10.10.10.4

Using IE

This page can't be displayed

•Make sure the web address http://10.10.10.4 is correct.
•Look for the page with your search engine.
•Refresh the page in a few minutes.

Fix connection problems

sujyo1 · Nov 10, 2013, 6:33 PM

Pfsense box LAN interface is set to https
OPT1 interface is set to https but on OPT1 interface the Captive Portal is set to http.

Is this set up can cause this problem??

sujyo1 · Nov 12, 2013, 4:33 AM

Please….any pf guru help me on this issue this is real headache for me. trying since 3 days!
I remove all rules just keep the basic rules then restart box still can't log in in to access point!!!

timthetortoise · Nov 12, 2013, 2:39 PM

Download nmap and do a port scan of the access point. Make sure HTTPS is actually showing up. If it's not, but other ports are and/or you can ping it without any special rules, you've got a problem not related to pfSense.

sujyo1 · Nov 12, 2013, 8:57 PM

Thanks for reply…run scan interface-any, scan method-tcp, (can't run scan method-SYN)
also I set LAN & OPT1 both to http

Running: /usr/local/bin/nmap -sT '10.9.88.2'

Starting Nmap 6.25 ( http://nmap.org ) at 2013-11-12 14:50 CST
Nmap scan report for 10.9.88.2
Host is up (0.0037s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
MAC Address: xx:xx:xx:xx:xx:xx(Senao International Co.)

Nmap done: 1 IP address (1 host up) scanned in 1.32 seconds

timthetortoise · Nov 13, 2013, 3:31 AM

So since port 443 isn't open, why would you be able to connect to HTTPS? Try to connect to http://10.10.10.4

sujyo1 · Nov 13, 2013, 9:21 PM

Thanks for reply…

Finally I have found the answer...my captive portal was the problem... so I just allow(pass through) my desktop's mac & adress in to captive portal setting and done...Thank you guys for your help

timthetortoise · Nov 13, 2013, 9:20 PM

Unless you have settings on your client machine that you're not revealing, don't know what to tell you. Good luck with it.

sujyo1 · Nov 13, 2013, 9:23 PM

Thanks for quick reply timthetortoise…

Finally I have found the answer...my captive portal was the problem... so I just allow(pass through) my desktop's mac & adress in to captive portal setting and done...Thank you for your help