Help with firewall please



  • ;D  just want to say thank you all first,  You guys rock.

    I cannot browse to the web from my internal devices.  I can do dns, and ping but web is not working at all.  I have tried tons of rules and adds, nothing working yet.  Stuck a laptop outside of wan and it works perfect to browse to web.

    Thanks again guys, please see attached for all info i have.


    ![wan link.PNG](/public/imported_attachments/1/wan link.PNG)
    ![wan link.PNG_thumb](/public/imported_attachments/1/wan link.PNG_thumb)
    ![lan link.PNG](/public/imported_attachments/1/lan link.PNG)
    ![lan link.PNG_thumb](/public/imported_attachments/1/lan link.PNG_thumb)


  • Banned

    Tjek your outbound rules settings.

    You need to allow traffic from LAN to WAN and not LAN to LAN

    Pls. delete your WAN rules since there need to be none to begin with.




  • Ok so rules cleaned up (see attached) but still no go on the traffic.  And now i am having issues with DNS.  Trying to ping www.google.com and no go! NSlookup not working either now.

    ![wan link2.PNG](/public/imported_attachments/1/wan link2.PNG)
    ![wan link2.PNG_thumb](/public/imported_attachments/1/wan link2.PNG_thumb)
    ![dns issues.PNG](/public/imported_attachments/1/dns issues.PNG)
    ![dns issues.PNG_thumb](/public/imported_attachments/1/dns issues.PNG_thumb)



  • Funny part is as soon as i put lan to lan back in, DNS starts working.  Really lost now.



  • Your network diagram is confusing.  Are WAN and LAN on the same subnet??  If so, that won't work.



  • @KOM:

    Your network diagram is confusing.  Are WAN and LAN on the same subnet??  If so, that won't work.

    No lan is 192.168.56.0/24 network and Wan is outside IPs with a 255.255.255.248 mask.  I got the beginning of a network so i just put in the .1 and .2  So like x.x.x.0/29



  • OK I took another look at your updated LAN rules.  You're only allowing TCP/UDP to go to WAN net.  Get rid of your bottom two Allow rules and put this in their place:

    ID Proto Source Port Destination Port Gateway Queue Schedule Description
      IPv4* *     *   *          *   *       none             Allow LAN to any rule



  • Progress  :)  Now i can get to google and even googles searches, but nothing past that still.  I am still resolving DNS (tried going to www.space.com), but web traffic still a no go.



  • If you can get to Google and do searches, then HTTP is working.  What exactly are the errors you are getting?



  • Just time outs, almost like my dns knows nothing else.    NSlookup turns up ips and everything good, just when i try to use browser (IE) it times out.  So far google is the only thing i can get to, and its kinda slow to talk.  I do wireshark on firewall and on network and it looks like everything is good, not sure what to do next.


  • LAYER 8 Global Moderator

    Confused - why did you delete/edit the default rule that pfsense puts on the Lan of any any??

    Can you post up your current rules.

    Your first rule was tcp/udp to wan net - that would only allow access to "outside IPs with a 255.255.255.248 mask"

    And your 2nd rule was jut icmp to any any.

    Are your clients using pfsense as dns, or pointing directly to something else like 8.8.8.8?  If you think you have dns issues, can pfsense resolve? Under diag, dns lookup - and what do you have pfsense using for dns.. Your ISP, something you put in?  Are you using the forwarder?  IE does pfsense list 127.0.0.1 as one of its dns on the system info widget?



  • Dns is internal 2012 server.  Only 2 clients currently on network.  DNS and test box.  See diagram above.  Here is my current screen shots after we started working.  Thanks so much for the help guys.

    ![wan 2.0.PNG](/public/imported_attachments/1/wan 2.0.PNG)
    ![wan 2.0.PNG_thumb](/public/imported_attachments/1/wan 2.0.PNG_thumb)
    ![dns 2.0.PNG](/public/imported_attachments/1/dns 2.0.PNG)
    ![dns 2.0.PNG_thumb](/public/imported_attachments/1/dns 2.0.PNG_thumb)


  • LAYER 8 Global Moderator

    So that tcp/udp rule is pointless since you have a any any rule below it.  And your wan rule.. Curious why you are blocking those IPs from showing up in your firewall block log?  But looks like your logging access to your wan IP from your lan, which really should be like never ;)

    I do show that first 61 IP in the abuseIPDB – but why do you not want it logged?  Are they generating lots of noise?



  • I pulled the tcp/udp rule.  I realize now its double coverage  lol.  Trying to keep the log clean so i can see whats going wrong with it.  And those 4 ips so far are bad juju and are always blocked.


Log in to reply