Another Plea for Rules Help!
-
Sorry to toss this out on an apparently consistent topic of help, but I cannot, for the life of me, figure out how to get PFSENSE to allow inbound rules to work.
I have read and followed steps and nothing.
First off, a little info on the system. It's an older 1U server with two NIC's. Ones the WAN, ones the LAN. I have internet access and am able to surf just fine.
I am trying to do two things. The first is set the firewall to allow ICMP Pings from ANY.
I created a rule that was specific in what source network I wanted the ping to be allowed and all that and nothing so then I created a rule to allow it all and then once I determined that worked, lock it down, well I can't even get the allow all rule to work. So here is the rule as it is now, trying to get pings allowed from anywhere:
I am not seeing any blocks on the firewall.
The second thing I am trying to do is setup remote admin through HTTPS on a specific port other than 443. Once again, I started specific and then expanded it to ANY because it didn't work, same results as the ping, I cannot get anything from external to access the PFSENSE box.
For the admin access to the GUI I put:
PASS
WAN
IPv4
TCP
ANY (Source)
WAN (DESTINATION) Though I have tried specific IP, ANY et cetera
PORT (Specific and default)Nothing. I have tried resetting states and no go.
Anyone got some ideas on what to do? What to check? Anything :)
-
It also seems that no rule works unless it impacts the LAN network only.
-
You firewall rules image seems to be missing. Just to be clear, what are you trying to remote manage via 443, your pfSense install or something behind it like a web server?
-
Pings are not TCP, they are ICMP. If you want your WAN address pingable from anywhere do this on WAN.
Restricting it to echoreq only is probably not necessary but…
-
And you sure pfsense is not behind a double nat? Ie does pfsense have public ip on its wan or is an rfc1918 address? I see this all the time - why doesn't my port forward work, etc.. Because pfsense is never seeing the traffic to forward because the NAT in front of it didn't send the traffic to pfsense.
-
Well I am as positive as I can be that it is not behind another NAT device or a firewall. This is a DSL line from Windstream (our local POS Internet provider) and the modem was put into Passthrough mode, which basically just allows everything to pass through and the devices behind it are allowed to restrict what they like.
We use this for our NCIC Criminal records check, but there are 5 IP's assigned to the DSL line so the NCIC firewall (a Juniper Firewall / VPN device) is using one of the IP's to do it's thing. I then took another IP and used it for this PFsense firewall and assigned it another IP et cetera.
I can reach the Juniper devices interface so I assume that the DSL modem is not interrupting traffic.
I did set the rule up to allow ICMP for the pings and it made no difference.
I am trying to setup the WAN interface to allow for remote management of the GUI when I am at home or in other offices. So the rule would be toned down and restricted to certain IP's once I get it to work, but currently I cannot get ANY rule to apply to the WAN interface.
I am not sure why the image didn't link, maybe it doesn't like linking to Google Docs.
I'll see if a link directly to it works, but as I mentioned before, nothing I apply to it seems to work and I don't know why, I have used PFSense before and I don't recall this issue. I suppose I can change the WAN IP to an Internal one and see if I can access it from an internal intranet Ip to rule out blocking from the DSL modem.
It just seems like this should be the easiest part of the setup is allowing access to the WAN interface when there is no NAT or port forwarding or anything involved, just rules as far as I recall.
Here is the rule I created to allow ICMP:
https://drive.google.com/file/d/0BzsKCe89Gscxdy1yR0VPQ2RZNWc/view?usp=sharing
-
I also tried this way:
https://drive.google.com/file/d/0BzsKCe89GscxeWN6dDhZdk1TeWc/view?usp=sharing
-
Bah, never mind! Sorry to have wasted anyone's time.
Apparently the IT yahoo's at the main courthouse (who don't know squat but actually try and run stuff) are apparently blocking connections going out somehow, probably because they have the stupid firewall they use incorrectly configured.
I was able to RDP into my system at home and then test pings and remote administration and it works fine, so it's definitely something the yahoo's here are blocking or otherwise configuring it. I knew those rules were right, I was just too anxious to leave for my three day weekend, I didn't think of other ways to test remotely. I was thinking I could just test from my office PC, which is a different connection and try, not thinking they have something interrupting outbound stuff.
Thanks for the help!
