Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help with firewall please

    Scheduled Pinned Locked Moved Firewalling
    14 Posts 4 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      oscardawgg
      last edited by

      ;D  just want to say thank you all first,  You guys rock.

      I cannot browse to the web from my internal devices.  I can do dns, and ping but web is not working at all.  I have tried tons of rules and adds, nothing working yet.  Stuck a laptop outside of wan and it works perfect to browse to web.

      Thanks again guys, please see attached for all info i have.
      lan.png
      lan.png_thumb
      ![wan link.PNG](/public/imported_attachments/1/wan link.PNG)
      ![wan link.PNG_thumb](/public/imported_attachments/1/wan link.PNG_thumb)
      ![lan link.PNG](/public/imported_attachments/1/lan link.PNG)
      ![lan link.PNG_thumb](/public/imported_attachments/1/lan link.PNG_thumb)
      traffic.PNG
      traffic.PNG_thumb

      1 Reply Last reply Reply Quote 0
      • S
        Supermule Banned
        last edited by

        Tjek your outbound rules settings.

        You need to allow traffic from LAN to WAN and not LAN to LAN

        Pls. delete your WAN rules since there need to be none to begin with.

        lan2any.PNG
        lan2any.PNG_thumb

        1 Reply Last reply Reply Quote 0
        • O
          oscardawgg
          last edited by

          Ok so rules cleaned up (see attached) but still no go on the traffic.  And now i am having issues with DNS.  Trying to ping www.google.com and no go! NSlookup not working either now.

          ![wan link2.PNG](/public/imported_attachments/1/wan link2.PNG)
          ![wan link2.PNG_thumb](/public/imported_attachments/1/wan link2.PNG_thumb)
          ![dns issues.PNG](/public/imported_attachments/1/dns issues.PNG)
          ![dns issues.PNG_thumb](/public/imported_attachments/1/dns issues.PNG_thumb)

          1 Reply Last reply Reply Quote 0
          • O
            oscardawgg
            last edited by

            Funny part is as soon as i put lan to lan back in, DNS starts working.  Really lost now.

            1 Reply Last reply Reply Quote 0
            • KOMK
              KOM
              last edited by

              Your network diagram is confusing.  Are WAN and LAN on the same subnet??  If so, that won't work.

              1 Reply Last reply Reply Quote 0
              • O
                oscardawgg
                last edited by

                @KOM:

                Your network diagram is confusing.  Are WAN and LAN on the same subnet??  If so, that won't work.

                No lan is 192.168.56.0/24 network and Wan is outside IPs with a 255.255.255.248 mask.  I got the beginning of a network so i just put in the .1 and .2  So like x.x.x.0/29

                1 Reply Last reply Reply Quote 0
                • KOMK
                  KOM
                  last edited by

                  OK I took another look at your updated LAN rules.  You're only allowing TCP/UDP to go to WAN net.  Get rid of your bottom two Allow rules and put this in their place:

                  ID Proto Source Port Destination Port Gateway Queue Schedule Description
                    IPv4* *     *   *          *   *       none             Allow LAN to any rule

                  1 Reply Last reply Reply Quote 0
                  • O
                    oscardawgg
                    last edited by

                    Progress  :)  Now i can get to google and even googles searches, but nothing past that still.  I am still resolving DNS (tried going to www.space.com), but web traffic still a no go.

                    1 Reply Last reply Reply Quote 0
                    • KOMK
                      KOM
                      last edited by

                      If you can get to Google and do searches, then HTTP is working.  What exactly are the errors you are getting?

                      1 Reply Last reply Reply Quote 0
                      • O
                        oscardawgg
                        last edited by

                        Just time outs, almost like my dns knows nothing else.    NSlookup turns up ips and everything good, just when i try to use browser (IE) it times out.  So far google is the only thing i can get to, and its kinda slow to talk.  I do wireshark on firewall and on network and it looks like everything is good, not sure what to do next.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          Confused - why did you delete/edit the default rule that pfsense puts on the Lan of any any??

                          Can you post up your current rules.

                          Your first rule was tcp/udp to wan net - that would only allow access to "outside IPs with a 255.255.255.248 mask"

                          And your 2nd rule was jut icmp to any any.

                          Are your clients using pfsense as dns, or pointing directly to something else like 8.8.8.8?  If you think you have dns issues, can pfsense resolve? Under diag, dns lookup - and what do you have pfsense using for dns.. Your ISP, something you put in?  Are you using the forwarder?  IE does pfsense list 127.0.0.1 as one of its dns on the system info widget?

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • O
                            oscardawgg
                            last edited by

                            Dns is internal 2012 server.  Only 2 clients currently on network.  DNS and test box.  See diagram above.  Here is my current screen shots after we started working.  Thanks so much for the help guys.

                            ![wan 2.0.PNG](/public/imported_attachments/1/wan 2.0.PNG)
                            ![wan 2.0.PNG_thumb](/public/imported_attachments/1/wan 2.0.PNG_thumb)
                            ![dns 2.0.PNG](/public/imported_attachments/1/dns 2.0.PNG)
                            ![dns 2.0.PNG_thumb](/public/imported_attachments/1/dns 2.0.PNG_thumb)
                            lan2.0.PNG
                            lan2.0.PNG_thumb

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              So that tcp/udp rule is pointless since you have a any any rule below it.  And your wan rule.. Curious why you are blocking those IPs from showing up in your firewall block log?  But looks like your logging access to your wan IP from your lan, which really should be like never ;)

                              I do show that first 61 IP in the abuseIPDB – but why do you not want it logged?  Are they generating lots of noise?

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • O
                                oscardawgg
                                last edited by

                                I pulled the tcp/udp rule.  I realize now its double coverage  lol.  Trying to keep the log clean so i can see whats going wrong with it.  And those 4 ips so far are bad juju and are always blocked.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.