No Path To Web Via Connected Wireless Router
-
Hello,
I'm currently running:
2.1.4-RELEASE (i386)
built on Fri Jun 20 12:59:29 EDT 2014
FreeBSD 8.3-RELEASE-p16I've connected a Linksys WRT54G, running DD-WRT, to an OPTx interface, Ethernet - copper.
-
I followed what I read HERE: Use an existing wireless router with pfSense
-
I also checked against THIS THREAD: WAN <-> LAN + OPT1
-
The firewall rules; I posted screen shots, attached.
So… I did this for WiFi.
-
I do NOT have a PCI WiFi card that pfSense/BSD runs.
-
I do NOT have another wired device I can plug into the WRT54G's ethernet port, to test.
Result:
-
The WiFi client picks up a DHCP - IPv4 address from pfSense.
-
Naturally, the DD-WRT GUI-config page of the WRT54G is accessible.
-
If I allow RFC 1918 network throughput on OPT1, the WiFi client can access the pfSense OPT1 static I.P., but not the I.P. I use to access WebConfigurator on LAN
-
Using WebConfigurator, on the OPT1 address, I can ping, one of Google's I.P.'s, as shown, attached.
-
I have internet connectivity on LAN.
-
However, I can NOT get out traffic, passing via the OPT1
-
The WiFi client is not able to ping the outside world.
Verified:
-
The OPT1 ethernet cord is NOT plugged into the WAN port of the WRT54G
-
The WRT54G LAN I.P. is in the subnet of OPT1, STATIC, outside of DHCP range.
-
I tried STATIC WAN I.P. and even disabled WAN on the WRT54G.
-
I can see the DHCP lease of my LAN desktop AND the OPT1 -> WRT54G WiFi Client.
-
The DHCP server of the WRT54G is disabled, by selecting "DHCP Forwarder".
-
On the WRT54G, the Gateway is the pfSense OPT1 static I.P.
-
The WRT54G is in "router" mode, NOT "gateway" mode. (I tried BOTH).
-
There is a WRT54G setting, under "Administration" to enable or disable routing. It IS enabled.
-
On the WRT54G, the "local DNS" is the pfSense OPT1 static I.P. (I tried it with the default 0.0.0.0)
-
I'm also running pfBlocker and the Squid proxy server in case that may have an effect.
A little help, if you please.
:)
-
-
First thing: Try a reboot. pfSense often needs a reboot after significant changes are made, especially to interfaces. (Just speaking from personal experience, I don't know the cause.)
Based on your description, I suspect that you have both a NAT problem, and a firewall rules problem. It would be helpful to see how you've assigned the OPT1 and LAN IP addresses.
My rule of thumb with firewalls is start with no block rules at all, make sure that you have routing and NAT running properly first. (pfSense blocks by default, so this is relatively safe.) So if the reboot doesn't fix it, try disabling your block rules.
Lacking data, my assumptions are:
1. That OPT1 and LAN are assigned different networks.
2. That OPT1 and LAN are in RFC 1918 IP ranges
3. That you are not using any Virtual IPs
4. You are using "Automatic outbound NAT rule generation"If I allow RFC 1918 network throughput on OPT1, the WiFi client can access the pfSense OPT1 static I.P., but not the I.P. I use to access WebConfigurator on LAN
To fix OPT1 and LAN not communicating with each other:
A. You must explicitly enter rules to allow traffic between OPT1 and LAN for them to communicate (unless they are bridged). pfSense will block them by default. (check in Status: System logs: Firewall)
B. You must remove the three Block rules you have on the OPT1 interface.-
I have internet connectivity on LAN.
-
However, I can NOT get out traffic, passing via the OPT1
-
The WiFi client is not able to ping the outside world.
You need to manually enter your NAT rules. "Automatic outbound NAT rule generation" only works for the LAN interface. When you have two interfaces (OPT1 & LAN) on different networks pfSense won't make rules the OPT1 IP space. (due to my assumption #2 above.) See: https://doc.pfsense.org/index.php/Multi-LAN_Setup
The WiFi client is not able to ping the outside world.
After fixing the NAT, if this still fails, check Status: System logs: Firewall, is the WiFi client's IP address being blocked?
-
-
Thanks for the reply, MindfulCoyote.
I HATE it when I have a post drafted, and am all but finished, right before Firefox decides to crash…
In trying to diagnose, I had disabled all packet filtering, but that also disables NAT... It's almost as easy, with WebConfigurator, to click and disable rules, one by one.
As you suggested, I DID reboot, to no avail.
I see that in 2.2, there will be manual NAT layering, on top of the A.O.N. behavior. 8)
All of your numbered assumptions are correct.
However, I was just illustrating 1918 communication between OPT1 and the LAN interface I.P. I do NOT want OPT1 segment wireless clients to be able to access LAN, only WAN. So, it's doubly blocked, as a 1918, and as LAN. I'm not sure why I would want to allow a bogon network.
I suspect the trouble, as you indicate, is that I need to configure Manual Outbound N.A.T.
It's funny... Currently I can access the router GUI on the OPT1 (W.-A.P.), and the router GUI on WAN (gateway). But, I'm currently using A.O.N. Perhaps something changed in the last couple releases. {I'm on 2.1.5-RELEASE (i386)}
You know, there seem to be some holes in the "how to" and documentation pages. Many are also outdated.
Unfortunately, in the link you provided, it really is not clear that for a multi LAN setup, that N.A.T. MUST be manual:
https://doc.pfsense.org/index.php/Multi-LAN_Setup#Understand_that_NAT_is_On_by_DefaultIn this project, we speak many languages. Some things are lost in translation. At other times, (s)he who can "do", and (s)he who can "teach", is not one and the same person…
-
Unfortunately, in the link you provided, it really is not clear that for a multi LAN setup, that N.A.T. MUST be manual
I'm a bit late here but that is not correct. You can leave outbound NAT on automatic (and I would recommend you do) you just need the correct firewall rules in place.
In this project, we speak many languages. Some things are lost in translation.
That is very true. :)
There are a number of incorrect things in the initial rules you posted. I'd be happy to make some suggestions if you're still having issues.
The WiFi client is not able to ping the outside world.
That was because your rules on OPT1 only allowed TCP/UDP and ping is ICMP.
Steve
-
Hey, stephenw10!
Thanks for jumping in…
I'm relieved about presently being able to keep A.O.N., in that I'm trying to keep my learning curve as shallow as possible. Throwing Manual Outbound N.A.T. in the mix, just steepens the slope.
A couple thing I like about N.A.T., coming in 2.2:
-
Hybrid outbound NAT style that allows the user to keep the existing automatic behavior but layer manual rules on top of it.
-
Display networks used in automatic outbound NAT when using that mode.
https://doc.pfsense.org/index.php
pfSenseDocs - 2.2 New Features and Changes - NAT/Firewall Rules/Aliases
I'm assuming something changed with NAT, in the last couple release revisions; since I was previously unable to see my WAN gateway or my OPT1 router:
-
https://doc.pfsense.org/index.php/2.1.5_New_Features_and_Changes
-
https://doc.pfsense.org/index.php/2.1.4_New_Features_and_Changes
-
https://doc.pfsense.org/index.php/2.1.3_New_Features_and_Changes
-
https://doc.pfsense.org/index.php/2.1.2_New_Features_and_Changes
-
https://doc.pfsense.org/index.php/2.1.1_New_Features_and_Changes#NAT.2FFirewall_Rules.2FAliases
-
https://doc.pfsense.org/index.php/2.1_New_Features_and_Changes#NAT.2FFirewall_Rules.2FAlias
Although I don't recall making any effective change, I can now see the OPT1 router GUI, and the WAN gateway GUI.
I can telnet to the OPT1 router. I did this to get it to ping, as I don't see it in the GUI.
Pinging from the OPT1 router turned out to be a necessary diagnostic step. Yes, pinging with the WebConfigurator: Diagnostics -> Ping { https://pfsense/diag_ping.php || https://192.168.1.1/diag_ping.php || etcetera} using OPT1 as the source address showed success…
However, to ping from the OPT1 "WLAN" router, I needed to BOTH, enable a rule allowing ICMP, AND allow RFC 1918 addresses...
Of course, the router, and any WiFi clients have a 1918 address, courtesy of pfSense's DHCP. Hindsight is 20/20!
I was able to ping, via telnet, ping from a WiFi client, and go online with the WiFi client.
I disabled the ICMP rule, but did not delete, for future diagnostics. The WiFi client can still get online.
The firewall rule I created, keeping WiFi clients, and WPA crackers out of the lan, covers my intent for disallowing RFC 1918 networks on OPT1.
Eventually, I'll have a FreeNAS, or NAS4Free box, on it's own interface, or VLAN. So I'll have to decide if I open it to the WLAN… I'll certainly implement the Snort package!
So, it seems this is solved…
I did clarify that I do NOT want the OPT1 WLAN clients to be able to access my primary LAN. So... If there are still,
@stephenw10:a number of incorrect things in the initial rules you posted.
…then I would certainly appreciate your suggestion(s).
Thanks!
-
-
Sorry about the delay, I was away for a few days with only a tablet to write with.
Ok, so you want to have an additional interface that will host a wireless access point. You want want clients on that interface to have access to the internet but not to any machines on the LAN interface. Do you want wireless clients to be able to access the pfSense webgui? I will assume you do not.Two ways of achieving this you can allow access to everything and then block access to what you don't want or you can allow only access to what you want. I choose the latter because it involves less rules (faster processing) and is more logical to me.
So, by default pfSense will block all new connections coming into an interface so without adding any rules to OPT1 wireless clients will not be able to connect to anything. We need to add rules to allow only connections to the internet. I have an almost identical setup on my home box, the difference being I have a lot more internal interfaces. I first setup an alias that contains all my local subnets Firewall: Aliases:.
My alias is called LOCAL and for simplicity it's set as 192.168.0.0/16.
Now set a firewall rule on OPT1
Protocol: IPV4
Source: OPT1 net
Port: *
Destination: !LOCAL (the ! indicates NOT here)
Port: * (you could limit this further by using a limited range of ports here)
Gateway: *Thus only connection to addresses outside your local subnets will be allowed. This works fine BUT if your using the pfSense DNS forwarder (which you probably are) then you need to also allow access to that. Add another rule to OPT1
Protocol: IPV4
Source: OPT1 net
Port: *
Destination: OPT1 address
Port: 53 (DNS)
Gateway: *And you should be good. If you test you will find that clients on OPT1 can still access the webgui on the WAN address because the web server listens on all interfaces. If you don't want that add a specific block rule at the top of the list to block it.
Attached is a screen shot of the rules I have on my wifi interface. All the additional rules allow access to further services but only the two I described above are necessary for internet access.Steve
Hmm still can't attach files so here's a linked image: