Access denied from different subnet

pffox · May 21, 2014, 5:32 PM

Hello

I don't know what do I do wrong, it's a fairly simple setup.
I have 2 subnets:

10.10.0.0/16
10.1.0.0/16

The pfsense box is sitting at 10.10.0.50 and has routes to the 10.1.x.x network.
If I turn pfctl off everything works fine, but if I leave it on as a default and define 2 simple rules for that subnet it's not working.

By all means not just a single TCP port but if I allow any ipv4 traffic to and from that 10.1.x.x network is denied.

Why is that?

dotdash · May 21, 2014, 5:56 PM

You are only allowing traffic to the LAN address (10.10.0.50) on port 3128. You didn't explain what you are trying to do.

pffox · May 21, 2014, 6:43 PM

I beg your pardon what didn't I explain?

I think I explained it all. I just want the firewall to be working and accept proxy connections from the 10.1.x.x subnet as well.

From the local subnet 10.10.x.x all the machines can reach this proxy machine, even if the firewall is ON from the 10.1.x.x they can only reach it right now if it's turned off.

This machine only has one IP address 10.10.0.50 which is the LAN IP. I think I made the rule right.

dotdash · May 21, 2014, 8:52 PM

@pffox:

I beg your pardon what didn't I explain?

You didn't mention the proxy part, and I missed the significance of the port number. I was trying to figure out why you had restricted traffic from that network to the firewall IP. The LAN subnet, on the other hand, is allowed to go anywhere. It would seem that if you change the 'Default allow all from LAN' rule from 'LAN Subnet' to 10.1.0.0/12 then both subnets would act the same. I've never run a proxy on the firewall, so I'm unfamiliar with how the rules typically are.

pffox · May 22, 2014, 8:07 AM

Oke I don't give up on this because I have to configure FreeBSD firewalls in the future so I better understand why isn't this simple rule working.

Yes in this case the appliance only used as a Squid proxy machine, the proxy port is 3128. It has it's own default gateway, it's not a router and doesn't do any NAT.

This should allow any connection to both 10.1.x.x and 10.10.x.x:

IPv4 * LAN net * * * * none

This rule should allow incoming connections from the 10.1.x.x /16 not /12 subnet:

IPv4 TCP 10.1.0.0/16 * LAN address 3128 * none

You know what's strange, that the machine doesn't even have a rule for allowing connections from the 10.10.x.x subnet on port 3128 and those are working even if the firewall is ON.

dotdash · May 22, 2014, 6:27 PM

'LAN net' is only 10.10.0.0/16. If you want rules to include both subnets you either need to change the subnet to 10.1.0.0/12, which includes both subnets, or copy rule and change the subnet to 10.1.0.0/16 on the second rule.
As to the second part of the question, traffic to 'LAN address' is already allowed by the Lan net to any rule.

johnpoz · May 22, 2014, 8:19 PM

Your last rule there is pointless.. Rules are INBOUND only, not outbound - unless your doing floating rules.

You don't need a rule to allow pfsense initiate traffic from its own interface to a network its attached too.

But yes your 10.1/16 source to lan address (10.10.0.50) tcp 3128 should be allowed. How are you sure its not? Are you seeing denied in the log from that source to that port for Syn packets?

Did you set up squid to allow access from your other subnet?