*SOLVED* Three lan interfaces could someone give firewall rules example

brcisna

Hello All,

We have three lan interfaces:

LAN =  172.28.8.0/24
OPT1 = 172.28.12.0/23
OPT2 = 172.28.14.0/23

Also factored in this is another router that is used for ip phones and teacher pc's that was set up by a company that the pfSnse machine routes to for this box.
It is 172.28.14.0/23
Just making this point when looking at firewall rules I have attched.

I would like all three/four  network segments to see * everything between the segments.

This is a windows domain so many background tcp/udp services have to pass.  I (think) i have firewall rules correct yet I see netbios,dns being blocked between the network segments.
Server at 172.28.8.x netbois is blocked by a  request from client on 172.28.10.x and so on.

I have juggled around the source and destinations for each interface and seems the same resuling ports that need to talk from domain server to clinet boxes being blocked,bottom line.
I can successfully ping all clients behind any network segment to the other segment.

Could someone point to a good link with screenshots with firewall rules for this scenrio?
I have seacrhed but simply cant find any good "pictures" of what actually works,
I did not have any trouble making this setup work on 2.0.1 .

I will attach firewall rules screenshots for each of the lan interfaces.
At this point they are so jiggled up,I am sure something will not be right between segments in the screenshots.

Thanks,
Barry

Derelict

Your allow any any rules make all the rules above them that are more specific pretty much useless.

You do realize that routing windows services requires proper DNS and/or WINS because the protocols depend on being in the same broadcast domain for discovery right?

brcisna

Thanks dirilect,

Yes,  A Windows Server 2003 server is "trying" to provide WINS and DNS to the client machines.This is the underlying problem, The dns and netbios and smb requests can be seen being blocked in the Lan, Opt1, Opt2 firewall logs.

As I mentioned earlier,,,I didnt have any trouble making this setup work,,in both 1.2.3 and 2.0.1 pfSense.

Thank You.

Derelict

Post a screenshot of the blocks.  Those permit any any rules prevent any traffic from LAN, OPT1, or OPT2 being blocked.

Please also clear states before testing again even though I don't think that's it.

In fact, you have so many duplicate/incorrect rules, just delete everything except the pass any any rules since that's all that's really in effect anyway.

All these interface rules operate on traffic coming IN the interface on which they are defined.  Having a rule passing from LAN net to OPT1_ELNET net on interface OPT1_ELNET doesn't do anything because traffic from LAN net will never be received by interface OPT1_ELNET.

Make all three interfaces look like this (plus maybe an anti-lockout rule on LAN), clear states, and test again:


brcisna

Derelict,

Thanks again for some pointers. I will post screen shots below. I done exactly as you stated,cleared states,cleared firewall logs,,,in just 2 minutes I am still seeing blocks from both OPT subnets trying to make communication with the Windows Server 2003 DC trying to get dns,wins, smb port contact residing on the LAN network here.

Something that will look quirky is on the LAN inertface rules I had to put the 172.28.14.0/23 SOURCE to get the static routes teacher pc's to get internet access.
I will screenshot the static route as well

Other than that the LAN,OPT1,OPT2 rules are exactly as you suggested.

In other words i see in blocked firewall logs client 172.28.12.0/23 going to server 172.28.8.20:139 and 135
From the looks of these rules everything should pass?
Seems like maybe the routing is wonky or something.
All subnets can web browse fine with squid,squidGaurd,captive portal. FYI.

Thanks

Derelict

What is this Teacher PC gateway?  What is 172.28.14.0/23?  Get rid of that static route.  You don't need it.  It's a connected interface on OPT2.  Why are you trying to send traffic for it to LAN address?

Derelict

Also factored in this is another router that is used for ip phones and teacher pc's that was set up by a company that the pfSnse machine routes to for this box.
It is 172.28.14.0/23
Just making this point when looking at firewall rules I have attched.

I think I'm going to need to see a diagram that details exactly what you've got.  It sounds like you gave a gateway somewhere to 172.28.14.0/23 AND have that same subnet assigned to OPT2.  That's not going to work.

brcisna

Derelict,

You are correct in regards to gateway. In original post I stated that this router provides three subnets..Servers, Elemetary, High School. ABout 8 years ago the school had IP phones installed at at that time the super wanted the teacher pc's on a seperate segment,so the pfSense router has to intertwine with the ip phone companys own riouter

What is odd going from version 2.0.1 pfSense to 2.1.4 when you generate a static route  the gui generates a gatway by design? I dont know how to do a static route EG. Linux,, on pfSense without the gui generating the gateway along with the route?

The 172.28.14.0/23 resides on the second router of the ip phone companies router. I knew when this was setup,it would be a headache down the road,,but,,i has no say so,,in the setup. The static route points to the gateway of the ip phone companies,router,,,bottom line.

Do I need another physical nic to maybe tie into the other router?As I said this did work on1 .2.3 and 2.0.1 pfSense? But those did not generate a gateway,when static route was created?
This is of course a new router from last two versions of our pfSense setup as well.

I will post a  screen shot of the gateway poiting to the other router. It's ip address gateway address is 172.28.8.1.

Thanks again.

Derelict

What is the IP address of the

ip phone companys own riouter

What subnet is behind it?

I still think you'll need to diagram this out if you're going to get any meaningful help.

https://forum.pfsense.org/index.php?topic=1630.0

brcisna

Derelict,

Thanks again for helping out. I did disable the static route that is tied to the LAN interface that points towards the other router of the ip phone and teacher pc's  companies. As Soon as i disabled the static route there is none of the blocks in the firewall log,between the Lan, Opt1, Opt2 nics.I let it run for 20 mins and evereything looks perfect.

I am going to get in contact with the company that put in the ip phones and also wired the teacher pcs,,lan segment to see what they want to do.

Kind of really burned out on it right now.
this is a production router with about 800 devices that is used almost 7 days a week,so dont have much of a  chance to play around with it, bottom line.

The problem is once I disable the static route I can no longer ping the gateway of the other router of course. Those teacher pcs,,,,and router has staic routes to come to this pfsense router and go out through it's content filter squidGuard  same as the elementary and high school lan segments.
.
Thanks again

brcisna

Hello All,

the above problem that I thought was incorrect firewall rules between lan segments on my part was not the problem.

For completeness in regards to this post the pfSense system connected to an Adtran router that serviced a teacher lan segment as well as ip phone.

The Windows Server 2003 DC gateway was set to the Adtran router ,rather than the actual pfSense machine gateway.
After changing the Windows Sever 2003 DC gateway to the pfSense system, the blocks was no longer happening due to,(I think) different times in time stamps,due to the Adtran router system time being way off,,but I am not sure this was the cause.

Problem solved!

Thanks.