Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    *SOLVED* Three lan interfaces could someone give firewall rules example

    Scheduled Pinned Locked Moved Firewalling
    11 Posts 2 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      brcisna
      last edited by

      Hello All,

      We have three lan interfaces:

      LAN =  172.28.8.0/24
      OPT1 = 172.28.12.0/23
      OPT2 = 172.28.14.0/23

      Also factored in this is another router that is used for ip phones and teacher pc's that was set up by a company that the pfSnse machine routes to for this box.
      It is 172.28.14.0/23
      Just making this point when looking at firewall rules I have attched.

      I would like all three/four  network segments to see * everything between the segments.

      This is a windows domain so many background tcp/udp services have to pass.  I (think) i have firewall rules correct yet I see netbios,dns being blocked between the network segments.
      Server at 172.28.8.x netbois is blocked by a  request from client on 172.28.10.x and so on.

      I have juggled around the source and destinations for each interface and seems the same resuling ports that need to talk from domain server to clinet boxes being blocked,bottom line.
      I can successfully ping all clients behind any network segment to the other segment.

      Could someone point to a good link with screenshots with firewall rules for this scenrio?
      I have seacrhed but simply cant find any good "pictures" of what actually works,
      I did not have any trouble making this setup work on 2.0.1 .

      I will attach firewall rules screenshots for each of the lan interfaces.
      At this point they are so jiggled up,I am sure something will not be right between segments in the screenshots.

      Thanks,
      Barry

      lan.png
      lan.png_thumb
      opt1.png
      opt1.png_thumb
      opt2.png
      opt2.png_thumb

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Your allow any any rules make all the rules above them that are more specific pretty much useless.

        You do realize that routing windows services requires proper DNS and/or WINS because the protocols depend on being in the same broadcast domain for discovery right?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • B
          brcisna
          last edited by

          Thanks dirilect,

          Yes,  A Windows Server 2003 server is "trying" to provide WINS and DNS to the client machines.This is the underlying problem, The dns and netbios and smb requests can be seen being blocked in the Lan, Opt1, Opt2 firewall logs.

          As I mentioned earlier,,,I didnt have any trouble making this setup work,,in both 1.2.3 and 2.0.1 pfSense.

          Thank You.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Post a screenshot of the blocks.  Those permit any any rules prevent any traffic from LAN, OPT1, or OPT2 being blocked.

            Please also clear states before testing again even though I don't think that's it.

            In fact, you have so many duplicate/incorrect rules, just delete everything except the pass any any rules since that's all that's really in effect anyway.

            All these interface rules operate on traffic coming IN the interface on which they are defined.  Having a rule passing from LAN net to OPT1_ELNET net on interface OPT1_ELNET doesn't do anything because traffic from LAN net will never be received by interface OPT1_ELNET.

            Make all three interfaces look like this (plus maybe an anti-lockout rule on LAN), clear states, and test again:

            ![Screen Shot 2014-08-30 at 11.41.45 AM.png](/public/imported_attachments/1/Screen Shot 2014-08-30 at 11.41.45 AM.png)
            ![Screen Shot 2014-08-30 at 11.41.45 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-08-30 at 11.41.45 AM.png_thumb)

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • B
              brcisna
              last edited by

              Derelict,

              Thanks again for some pointers. I will post screen shots below. I done exactly as you stated,cleared states,cleared firewall logs,,,in just 2 minutes I am still seeing blocks from both OPT subnets trying to make communication with the Windows Server 2003 DC trying to get dns,wins, smb port contact residing on the LAN network here.

              Something that will look quirky is on the LAN inertface rules I had to put the 172.28.14.0/23 SOURCE to get the static routes teacher pc's to get internet access.
              I will screenshot the static route as well

              Other than that the LAN,OPT1,OPT2 rules are exactly as you suggested.

              In other words i see in blocked firewall logs client 172.28.12.0/23 going to server 172.28.8.20:139 and 135
              From the looks of these rules everything should pass?
              Seems like maybe the routing is wonky or something.
              All subnets can web browse fine with squid,squidGaurd,captive portal. FYI.

              Thanks

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                What is this Teacher PC gateway?  What is 172.28.14.0/23?  Get rid of that static route.  You don't need it.  It's a connected interface on OPT2.  Why are you trying to send traffic for it to LAN address?

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Also factored in this is another router that is used for ip phones and teacher pc's that was set up by a company that the pfSnse machine routes to for this box.
                  It is 172.28.14.0/23
                  Just making this point when looking at firewall rules I have attched.

                  I think I'm going to need to see a diagram that details exactly what you've got.  It sounds like you gave a gateway somewhere to 172.28.14.0/23 AND have that same subnet assigned to OPT2.  That's not going to work.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • B
                    brcisna
                    last edited by

                    Derelict,

                    You are correct in regards to gateway. In original post I stated that this router provides three subnets..Servers, Elemetary, High School. ABout 8 years ago the school had IP phones installed at at that time the super wanted the teacher pc's on a seperate segment,so the pfSense router has to intertwine with the ip phone companys own riouter

                    What is odd going from version 2.0.1 pfSense to 2.1.4 when you generate a static route  the gui generates a gatway by design? I dont know how to do a static route EG. Linux,, on pfSense without the gui generating the gateway along with the route?

                    The 172.28.14.0/23 resides on the second router of the ip phone companies router. I knew when this was setup,it would be a headache down the road,,but,,i has no say so,,in the setup. The static route points to the gateway of the ip phone companies,router,,,bottom line.

                    Do I need another physical nic to maybe tie into the other router?As I said this did work on1 .2.3 and 2.0.1 pfSense? But those did not generate a gateway,when static route was created?
                    This is of course a new router from last two versions of our pfSense setup as well.

                    I will post a  screen shot of the gateway poiting to the other router. It's ip address gateway address is 172.28.8.1.

                    Thanks again.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      What is the IP address of the

                      ip phone companys own riouter

                      What subnet is behind it?

                      I still think you'll need to diagram this out if you're going to get any meaningful help.

                      https://forum.pfsense.org/index.php?topic=1630.0

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • B
                        brcisna
                        last edited by

                        Derelict,

                        Thanks again for helping out. I did disable the static route that is tied to the LAN interface that points towards the other router of the ip phone and teacher pc's  companies. As Soon as i disabled the static route there is none of the blocks in the firewall log,between the Lan, Opt1, Opt2 nics.I let it run for 20 mins and evereything looks perfect.

                        I am going to get in contact with the company that put in the ip phones and also wired the teacher pcs,,lan segment to see what they want to do.

                        Kind of really burned out on it right now.
                        this is a production router with about 800 devices that is used almost 7 days a week,so dont have much of a  chance to play around with it, bottom line.

                        The problem is once I disable the static route I can no longer ping the gateway of the other router of course. Those teacher pcs,,,,and router has staic routes to come to this pfsense router and go out through it's content filter squidGuard  same as the elementary and high school lan segments.
                        .
                        Thanks again

                        1 Reply Last reply Reply Quote 0
                        • B
                          brcisna
                          last edited by

                          Hello All,

                          the above problem that I thought was incorrect firewall rules between lan segments on my part was not the problem.

                          For completeness in regards to this post the pfSense system connected to an Adtran router that serviced a teacher lan segment as well as ip phone.

                          The Windows Server 2003 DC gateway was set to the Adtran router ,rather than the actual pfSense machine gateway.
                          After changing the Windows Sever 2003 DC gateway to the pfSense system, the blocks was no longer happening due to,(I think) different times in time stamps,due to the Adtran router system time being way off,,but I am not sure this was the cause.

                          Problem solved!

                          Thanks.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.