Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help with firewall please

    Scheduled Pinned Locked Moved Firewalling
    14 Posts 4 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • KOMK
      KOM
      last edited by

      Your network diagram is confusing.  Are WAN and LAN on the same subnet??  If so, that won't work.

      1 Reply Last reply Reply Quote 0
      • O
        oscardawgg
        last edited by

        @KOM:

        Your network diagram is confusing.  Are WAN and LAN on the same subnet??  If so, that won't work.

        No lan is 192.168.56.0/24 network and Wan is outside IPs with a 255.255.255.248 mask.  I got the beginning of a network so i just put in the .1 and .2  So like x.x.x.0/29

        1 Reply Last reply Reply Quote 0
        • KOMK
          KOM
          last edited by

          OK I took another look at your updated LAN rules.  You're only allowing TCP/UDP to go to WAN net.  Get rid of your bottom two Allow rules and put this in their place:

          ID Proto Source Port Destination Port Gateway Queue Schedule Description
            IPv4* *     *   *          *   *       none             Allow LAN to any rule

          1 Reply Last reply Reply Quote 0
          • O
            oscardawgg
            last edited by

            Progress  :)  Now i can get to google and even googles searches, but nothing past that still.  I am still resolving DNS (tried going to www.space.com), but web traffic still a no go.

            1 Reply Last reply Reply Quote 0
            • KOMK
              KOM
              last edited by

              If you can get to Google and do searches, then HTTP is working.  What exactly are the errors you are getting?

              1 Reply Last reply Reply Quote 0
              • O
                oscardawgg
                last edited by

                Just time outs, almost like my dns knows nothing else.    NSlookup turns up ips and everything good, just when i try to use browser (IE) it times out.  So far google is the only thing i can get to, and its kinda slow to talk.  I do wireshark on firewall and on network and it looks like everything is good, not sure what to do next.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  Confused - why did you delete/edit the default rule that pfsense puts on the Lan of any any??

                  Can you post up your current rules.

                  Your first rule was tcp/udp to wan net - that would only allow access to "outside IPs with a 255.255.255.248 mask"

                  And your 2nd rule was jut icmp to any any.

                  Are your clients using pfsense as dns, or pointing directly to something else like 8.8.8.8?  If you think you have dns issues, can pfsense resolve? Under diag, dns lookup - and what do you have pfsense using for dns.. Your ISP, something you put in?  Are you using the forwarder?  IE does pfsense list 127.0.0.1 as one of its dns on the system info widget?

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • O
                    oscardawgg
                    last edited by

                    Dns is internal 2012 server.  Only 2 clients currently on network.  DNS and test box.  See diagram above.  Here is my current screen shots after we started working.  Thanks so much for the help guys.

                    ![wan 2.0.PNG](/public/imported_attachments/1/wan 2.0.PNG)
                    ![wan 2.0.PNG_thumb](/public/imported_attachments/1/wan 2.0.PNG_thumb)
                    ![dns 2.0.PNG](/public/imported_attachments/1/dns 2.0.PNG)
                    ![dns 2.0.PNG_thumb](/public/imported_attachments/1/dns 2.0.PNG_thumb)
                    lan2.0.PNG
                    lan2.0.PNG_thumb

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      So that tcp/udp rule is pointless since you have a any any rule below it.  And your wan rule.. Curious why you are blocking those IPs from showing up in your firewall block log?  But looks like your logging access to your wan IP from your lan, which really should be like never ;)

                      I do show that first 61 IP in the abuseIPDB – but why do you not want it logged?  Are they generating lots of noise?

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • O
                        oscardawgg
                        last edited by

                        I pulled the tcp/udp rule.  I realize now its double coverage  lol.  Trying to keep the log clean so i can see whats going wrong with it.  And those 4 ips so far are bad juju and are always blocked.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.