Can't access devices on WAN network


  • Ok, i am a College student, and have set up a pfsense box in my dorm room. My goal is to get around my schools registration requirements by forcing all my traffic out the IP of the pfsense box. The way my schools network is setup, we have a 172.24.. network for all of our servers, dns hosts, web servers, etc, a 172.26.. network for devices needing to be registered (restrict internet access), and a 12.xx.. network for the dorms, which are also external ip addresses. without pfsense setup, you are able to be on the dorm network and connect to the 172.24.. network for certain tasks (being the few devices they want to let you connect to), however after i setup pfsense, i seem to get an external ip just fine (12.xx..) and i can connect to the internet, however when i try to connect to any of our on-campus devices, i get a timed out error. I believe that i am blocking the traffic somewhere, but i don't exactly know where. my overall goal for setting this up is to have my pfsense box be the only machine with an ip from the on-campus network, then route all my devices traffic through it, then use port forwards as needed to host servers behind the pfsense box accessable from the campus network.

    (* is of course a wildcard, xx is hidden)

    a rough diagram of how the network is layed out would be something like this:

    Internet
          |
          |
    Campus Router
          /|
        / |
        /  | 
    reg  |  academic
          |
        dorm
          |
      pfsense
          |
    My Network

    it's quite a bit more complicated than that, however that's the general idea… the way the campus firewalls are setup, a device on the dorm network cannot access the registration vlan, nor the academic vlan, except for certain devices. for example, our dns servers are on the academic vlan, and those are accessible from the dorm network, or our student websites. When plugged directly into the wall, i can connect to these devices just fine, and even when i was experimenting with ICS through Windows i could connect. Which leads me to believe there is a firewall rule somewhere that it blocking it, however i tried adding rules that allow all traffic from lan to wan and wan to lan, so in theory, the firewall should have been "off" yet it made no difference. Any ideas of what i might be doing wrong?

    Note: I am a Computer Science student, and i am just starting to learn about networking, this project is sort of a learning experience for me, so please disregard my stupidity.


  • I'm sure I speak for any parents on this forum when I ask whether you've authorized bypassing your college registration requirements with your college? If not, you may well be risking being expelled for trying to hack your way past your college's defenses, which wouldn't give you much of a start in your presumed career in Computer Science.

    I would strongly suggest you talk to your Computer Science lecturer/teacher first to see if this would be deemed acceptable with the college authorities. Whether you find it a useful learning experience or not, you'd be taking something of a big risk if you proceeded without permission. For that matter, assuming your teacher approves, he may well be in a better position to offer you suggestions and guidance.


  • Not sure - It would depend on the age of the person and if this is a college or lower school.

    My kids problem at his school is that EVERYTHING is blocked, including sites he needs to do research.

    I imagine thats quite annoying.  Its misguided to over do the sheltering if you ask me.

    Broken internet is no internet at all.


  • Agreed, being nannied is annoying and sometimes troublesome. But the school/college are still the authorities concerning internet access and they still have the final say, right or wrong. Whether you're a college student or just a school kid, if you overstep the mark they have every right to punish you - it's their system after all.


  • If I were in college and that was my only ISP available, and I was paying the baill (I did pay my own way), I'd blow right through it with a VPN.


  • Well, good luck with that then. (And I paid my way through university too, btw)

  • LAYER 8 Global Moderator

    "when i was experimenting with ICS through Windows i could connect"

    Was this windows machine registered with the school.. I would assume they run some sort of NAC (network access control).. When my son's were in school they ran some cisco software on their machine - if that software was not running, no network access.

    So while your windows machine could be registered in the nac, pfsense most likely is not.  You could try cloning the mac of a registered machine on pfsense wan - but I don't school is using such basic form of nac..  If you want play and learn about nac, I would check out http://www.packetfence.org/

    To be honest I would not mess with your school policies.. If you need unfettered internet access - run a hotspot off your phone or something.  As mentioned circumvention of school network policies is good way to at min loose your access.


  • @johnpoz:

    To be honest I would not mess with your school policies.. If you need unfettered internet access - run a hotspot off your phone or something.  As mentioned circumvention of school network policies is good way to at min loose your access.

    Exactly. Just because you pay for a room to rent doesn't mean you have the right to paint the walls if you don't like the colour. ;-)


  • I have talked with our network admin (prior to starting this project) and he gave me a special exception for using routing software to get around their access restriction for research purposes. On campus, we do  use a NAC and the one we use is called Bradford, the agent required is Bradford Persistent Agent, and yes, the windows computer did have it installed and was registered. However, on our network i have my pfsense box's MAC address registered directly (as is necessary for all devices that run linux) meaning that I had our network admin put me past our Bradford requirement, and so I will never lose registration.


  • Then perhaps your problem is DNS?

  • LAYER 8 Global Moderator

    Well then it should work..

    Simple enough do a query to the dns servers on the

    "our dns servers are on the academic vlan,"

    This is no brainer with nslookup or dig or drill or host.  drill and host are on pfsense.. From a cmd line on pfsense can you query these dns servers?

  • LAYER 8 Netgate

    i tried adding rules that allow all traffic from lan to wan and wan to lan, so in theory, the firewall should have been "off" yet it made no difference.

    Not really.

    You need to understand fully what interface rules go on and why.  Start here and ask away:

    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

    Do you get public IP addresses on your WAN?  You also need to disable the private address filtering on WAN if not.  This also might apply to receiving return traffic from the 172.24.0.0 172.26.0.0 networks.  I'm not sure if that checkbox blocks states created going out.  Bottom line is if it's not unchecked and you need to talk to private addresses outside, uncheck it.

    ETA: I see the 12/8 public address scheme you get on WAN.