How to allow only one computer from LAN to OPT interface



  • Hello pfsense guru please help me…
    New to pfsense. After config my firewall rules as follows (learn form diff forum). I can't access to my access points connected to OPT from my desk top connected to LAN interface. I am not able to configure my access points from my desktop. please advise me how to fix this and which rules are not needed...Thanks

    DASHBOARD

    WAN(DHCP)      up 1000baseT <full-duplex 192.168.0.13="" <br="">LAN                   up  1000baseT <full-duplex>192.168.1.1
    HOTSPOT          up  1000baseT <full-duplex>10.10.10.1

    Version 2.1-RELEASE (i386)
    built on Wed Sep 11 18:16:50 EDT 2013
    FreeBSD 8.3-RELEASE-p11

    You are on the latest version.
    Platform pfSense
    CPU Type Intel(R) Atom(TM) CPU N280 @ 1.66GHz
    2 CPUs: 1 package(s) x 1 core(s) x 2 HTT threads
    Uptime 21 Days 03 Hours 06 Minutes 46 Seconds
    Current date/time
    Tue Nov 5 20:08:09 CST 2013
    DNS server(s) 127.0.0.1
    97.64.183.164
    97.64.209.37
    192.168.0.1
    Last config change Thu Oct 31 21:04:46 CDT 2013

    FIREWALL RULES: LAN

    ID Proto Source Port Destination Port Gateway Queue Schedule Description
              *             *           * LAN Address 443 80 22 *   *               Anti-Lockout Rule
    IPv4+6 TCP/UDP LAN net * HOTSPOT net * * none   Allow LAN to HOTSPOT
    IPv4 * LAN net * * * * none   Default allow LAN to any rule

    FIREWALL RULES: OPT (HOTSPOT)

    ID  Proto           Source       Port Destination Port Gateway Queue Schedule Description

    allow IPv4+6 TCP/UDP HOTSPOT net * LAN net * * none   Allow LAN to HOTSPOT

    X IPv4+6 TCP/UDP HOTSPOT net * * 135 * none   HOTSPOT Block to NetBIOS

    X IPv4+6 TCP/UDP HOTSPOT net * * 137 - 139 * none   HOTSPOT Block to NetBIOS

    X IPv4 TCP/UDP HOTSPOT net * * 445 (MS DS) * none   HOTSPOT Block to NetBIOS

    X IPv4+6 TCP/UDP HOTSPOT net * HOTSPOT address 443 (HTTPS) * none HOTSPOT Block to Web GUI

    X IPv4+6 TCP/UDP HOTSPOT net * WAN address * * none   HOTSPOT Block to WAN Adress

    X IPv4+6 TCP/UDP HOTSPOT net * WAN net * * none   HOTSPOT Block to WAN subnet

    X IPv4+6 TCP/UDP * * LAN net * * none   Deny HOTSPOT Traffic to LAN

    allow IPv4 * * * WAN address * * none   Allow All Traffic

    allow IPv4+6 TCP/UDP HOTSPOT net * * * * none   Default allow OPT(HOTSPOT) to any rule</full-duplex></full-duplex></full-duplex>



  • Going from your LAN rules, you should be able to access your OPT network simply from

    IPv4 *    LAN net    *    *    *    *    none         Default allow LAN to any rule 
    

    How are you testing whether you are able to access it? The rule

    allow IPv4+6 TCP/UDP    HOTSPOT net    *    LAN net    *    *    none         Allow LAN to HOTSPOT
    

    in your OPT1 interface should not be in there if you want to block OPT1 traffic to LAN. Remember that firewall rules apply to incoming packets unless it's a floating outgoing rule. As it is set up now, the firewall should be passing traffic from LAN to OPT1, and vice versa. You likely have a problem elsewhere, most likely in either your testing methodology or your routing.



  • Thanks for reply timthetortoise.

    ''Going from your LAN rules, you should be able to access your OPT network''
    That's the problem… I am able to go on 10.10.10.1 form LAN (desktop), but some how I can't access to my access point (10.10.10.4 access point IP) from LAN. There are no other rules there...

    '' in your OPT1 interface should not be in there if you want to block OPT1 traffic to LAN ''
    yes I want to block OPT1 to LAN.

    '' You likely have a problem elsewhere, most likely in either your testing methodology or your routing ''
    I am testing https://10.10.10.4 in browser to log in to my access point. also try http://10.10.10.4 but no luck
    If I use https://10.10.10.1 then pfsense log in page show up.

    If you need other info please let me know...Thanks



  • Is your default gateway set on the access point?



  • ''Is your default gateway set on the access point?''

    Here is my set up…

    ISP (cable)


    Cisco modem+router(DPC3825 DOCSIS 3.0 Wireless) set wire less off & dhcp enable 192.168.0.1


    pfsense box WAN set to auto ip


    LAN 192.168.1.1/24 connected to netgear managed 8 port gigabit switch GS108T-v2 for all hardwire 2 computers, dvr, tv


    OPt1 10.10.10.1/24 captive portal enable connected to netgear gigabit switch GS108 for all wireless 4 engenius access points ECB600 set to static ip 10.10.10.2,3,4,5


    pfsense packages installed

    Cron Services Available: 0.1.8 Installed: 0.1.7

    iperf Network Management 2.0.5

    pfBlocker Firewall 1.0.2

    Sarg Network Report  Installed: 2.3.6 pkg v.0.6.3

    squid  Network 2.7.9 pkg v.4.3.3

    Thanks…



  • Again, what is the default gateway on your access points? If it's not 10.10.10.1, they will not be able to communicate with your 192.168.1.x network.



  • ''Again, what is the default gateway on your access points? If it's not 10.10.10.1, they will not be able to communicate with your 192.168.1.x network.''

    YES all access point's default gateway is set to 10.10.10.1

    access point set up

    IP: 10.10.10.2
    DHCP: disable
    subnet: 255.255.255.0
    default gateway: 10.10.10.1
    dns: 10.10.10.1

    thanks…



  • I am able to login into pfsense box from my desktop if i type https://10.10.10.1
    I am able to ping access point 10.10.10.4 form my desk top !! but can't login in to access point!!



  • When you try to browse to 10.10.10.4 what is the error given? Timeout? Rejected?



  • Using Chrome

    Oops! Google Chrome could not connect to 10.10.10.4

    Try reloading: 10.­10.­10.­4

    Using IE

    This page can't be displayed

    •Make sure the web address http://10.10.10.4 is correct.
    •Look for the page with your search engine.
    •Refresh the page in a few minutes.

    Fix connection problems



  • Pfsense box LAN interface is set to https
    OPT1 interface is set to https but on OPT1 interface the Captive Portal is set to http.

    Is this set up can cause this problem??



  • Please….any pf guru help me on this issue this is real headache for me. trying since 3 days!
    I remove all rules just keep the basic rules then restart box still can't log in in to access point!!!



  • Download nmap and do a port scan of the access point. Make sure HTTPS is actually showing up. If it's not, but other ports are and/or you can ping it without any special rules, you've got a problem not related to pfSense.



  • Thanks for reply…run scan interface-any, scan method-tcp, (can't run scan method-SYN)
    also I set LAN & OPT1 both to http

    Running: /usr/local/bin/nmap  -sT '10.9.88.2'

    Starting Nmap 6.25 ( http://nmap.org ) at 2013-11-12 14:50 CST
    Nmap scan report for 10.9.88.2
    Host is up (0.0037s latency).
    Not shown: 998 closed ports
    PORT  STATE SERVICE
    23/tcp open  telnet
    80/tcp open  http
    MAC Address: xx:xx:xx:xx:xx:xx(Senao International Co.)

    Nmap done: 1 IP address (1 host up) scanned in 1.32 seconds



  • So since port 443 isn't open, why would you be able to connect to HTTPS? Try to connect to http://10.10.10.4



  • Thanks for reply…

    Finally I have found the answer...my captive portal was the problem... so I just allow(pass through) my desktop's mac & adress in to captive portal setting and done...Thank you guys for your help



  • Unless you have settings on your client machine that you're not revealing, don't know what to tell you. Good luck with it.



  • Thanks for quick reply timthetortoise…

    Finally I have found the answer...my captive portal was the problem... so I just allow(pass through) my desktop's mac & adress in to captive portal setting and done...Thank you for your help