Filrewall rules being ignored by pfSense in vmware server install



  • Hello,

    I have pfsense 1.2 installed on VMWare 1.0.5 under linux. It is configured as follows:

    WAN -> le0 -> 10.99.99.6 (This is bridged to a physical NIC)
    LAN -> le1 -> 172.16.150.2 (This is a host only network)

    I can ping both the WAN and LAN networks from the pfSense console. I can send traffic from the LAN to the WAN through pfSense. In other words, it seems to be working ok.

    HOWEVER, I am trying to pass http traffic to another VM on the host only network from the WAN. I have set up a firewall rule to do this:

    Proto: TCP
    Source: *
    Port: *
    Destination: 172.16.150.3
    Port: 80 (HTTP)
    Gateway: *
    Schedule: <nothing>When I send http packets to the WAN address, they are being filtered by the default firewall rule (drop) according to the firewall log. My rule seems to be being ignored all together.

    Anyone have any idea what is going on here?

    Thanks,
    Whitney</nothing>



  • By the way, I know that 10.0.0.0/8 is normally not routable. I turned of "block private networks" and "block bogon networks" so the only firewall rule is the one that i previously described.



  • HOWEVER, I am trying to pass http traffic to another VM on the host only network from the WAN. I have set up a firewall rule to do this:

    Proto: TCP
    Source: *
    Port: *
    Destination: 172.16.150.3
    Port: 80 (HTTP)
    Gateway: *
    Schedule: <nothing></nothing>

    Could you specify a bit clearer what you are trying to achieve?
    Where did you create this rule?
    http://forum.pfsense.org/index.php/topic,7001.0.html



  • I am trying to set up an email server in a vmware virtual machine. I want traffic to this machine to pass through pfSense. So I have a virtual machine that contains the email server at 172.16.150.3. This is on the host only network. I can access it directly, but when I try to reach it through 10.99.99.6, I can not. The packets are being filtered.

    I created this rule in the pfSense web console.



  • I created this rule in the pfSense web console.

    You're not really using the console right?
    Because if you are…. urdoinitwrong.

    Could you show screenshots of the rules? (from the webgui).
    Also did you read the link i provided?
    i'm refering to this part:

    Rules:
    Rules are processed from top to down.
    If a rule catches the rest of the rules is no longer considered.
    Per default a "block all" rule is always in place (invisible below your own rules).

    Traffic is filtered on the Interface on which traffic comes in.
    So traffic comming in on the LAN-Interface will only be processed from the rules you define on the LAN tab.



  • I am aware of that rule. I am expected my rule to be matched. Here is the web console:




  • Traffic is filtered on the Interface on which traffic comes in.
    So traffic comming in on the LAN-Interface will only be processed from the rules you define on the LAN tab.

    Your rule is on the WAN interface.
    You want to allow traffic from the LAN interface.



  • No. I want traffic to pass from the WAN to the machine on my LAN. I am sending traffic to 10.99.99.6



  • Here is a screen shot of the log. Packets are definitely coming in on the WAN IF




  • If you are looking for help on the forum because you have a problem:
    provide as much information as possible.
    (log-outputs, screenshots of config/rules, etc.)
    Often a Diagram (ASCII ART ?) can help more than pages of descriptions how your network is set up.

    But i think i figured out what you want.

    Client
              |
              |
              |
          physical
          WAN(10.99.99.6)
        pfSense
          LAN(172.16.150.2)
            virtual
              |
              |
              |
              |
          172.16.150.3
          virtual Server

    You run a mailserver on 172.16.150.3 and you want to be able to connect to 10.99.99.6 and access this mailserver.
    For this to work you need to forward the ports on which your server is reachable.
    just a firewall rule is not enough.
    Create forwardings under Firewall–>NAT



  • Ah ha! You are right. That is the piece that I was missing. Cool. Thanks for your help.

    Whitney


Locked