Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Allow All Rule Not Completely Working

    Firewalling
    3
    4
    583
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      Lery
      last edited by

      Hello and thank you for your time.  Here is my issue.

      Interfaces=  WAN, LAN, OPT1

      LAN=192.168.2.0/24
      OPT1=192.168.3.0/24

      Firewall > Rules > LAN tab.  This is setup by default with a Default LAN to any rule.  It allows all traffic on the LAN interface.

      Firewall > Rules > WAN tab.  I want to allow all traffic on this interface to flow the same way it does on the LAN interface.  This includes access to the internet, and other machines on the 192.168.2.0 subnet.  I created an identical rule just like I've on the LAN interface by default.

      I still find that I cannot access  the internet or resolve to the DNS server located on 192.168.2.3.

      As as workaround I watch the firewall logs and click the symbol to create an easy rule.  Once I do this for each entry, I'm able to access the internet, DNS servers, and clients from the 192.168.3.0/24 subnet.

      My assumption was that the allow all rule, would take care of this for me.  Just like it does on the LAN interface.  Obviously I'm missing something?

      The WAN rule does have the green pass symbol next to it.  I'm currently using version 2.1.5.

      1 Reply Last reply Reply Quote 0
      • L
        Lery
        last edited by

        I figured this out and thought I would share the resolution here.  For the protocol option, I had selected TCP.  Which is how LAN is setup.  For some reason, on OPT1, I had to choose TCP/UDP.  That is all I had to change to get it working.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          It should probably be "any" on LAN and OPT1.  With TCP-only, DNS probably won't work if your LAN clients need to talk to, say, google's DNS.  With TCP/UDP, LAN clients won't be able to ping out to the internet, since that's ICMP.

          Note that rules have effect when connections are made into an interface.  If you pass traffic destined for the internet in LAN/OPT1, you don't need any rules on WAN to allow the traffic to egress.  Return traffic from the internet is passed by the already-established firewall states.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            lan is not setup with tcp out of the box, lan is setup with ANY..  If your lan was set to tcp only - you edited it.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.