Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    SG-2440 Disabled my local LAN access

    Firewalling
    5
    8
    1123
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      iTestAndroid last edited by

      I just received my SG-2440 and what I try to do is:

      1. Connect WAN to my ISP's router for internet access
      2. Connect LAN to my wireless router (dd-wrt)
      3. LAN, OPT1 and OPT2 are bridged (Assign Interface -> Bridges -> LAN, OPT1 and OPT2 selected)
      4. Interface group called AllMyNet is created with LAN, OPT1 and OPT2 as members.
      5. in dd-wrt I configured WAN port and other ports as switch and I chose "DHCP relay" as DHCP server and I pointed DHCP requests to pfSense IP (192.168.2.1)

      Now I don't have internet issue. But my strange issues are:

      1. When I ping from my computer (192.168.2.10 - directly in OPT1) to my router (192.168.2.12 - LAN), I get blocked.
      2. When my NAS (OPT2) tries to get IP from DHCP, it fails.
      3. When I try to open dd-wrt web interface, I can't.

      I can share as much as logs you need. Just I can say, I didn't configure anything else, I don't have any restriction on firewall rules. I set a lot of any to any rules already.
      I want to start with any to any for everything, when everything worked and I figured it out, I'll start adding strict rules.

      Example logs during my pings:

      k,in,4,0x0,,64,0,0,DF,17,udp,211,192.168.2.13,192.168.2.255,138,138,191
      Apr  7 00:54:43 TheFireWall filterlog: 9,16777216,,1000000103,bridge0,match,block,in,4,0x0,,64,19001,0,DF,1,icmp,84,192.168.2.10,192.168.2.12,request,13030,182764
      Apr  7 00:54:44 TheFireWall filterlog: 9,16777216,,1000000103,bridge0,match,block,in,4,0x0,,64,19017,0,DF,1,icmp,84,192.168.2.10,192.168.2.12,request,13030,182864
      Apr  7 00:54:45 TheFireWall filterlog: 7,16777216,,1000000101,igb0,match,block,in,4,0x0,,64,19954,0,none,17,udp,710,169.254.1.172,255.255.255.255,21302,21302,690
      Apr  7 00:54:45 TheFireWall filterlog: 9,16777216,,1000000103,bridge0,match,block,in,4,0x0,,64,19105,0,DF,1,icmp,84,192.168.2.10,192.168.2.12,request,13030,182964
      Apr  7 00:54:46 TheFireWall filterlog: 9,16777216,,1000000103,bridge0,match,block,in,4,0x0,,64,19115,0,DF,1,icmp,84,192.168.2.10,192.168.2.12,request,13030,183064
      Apr  7 00:54:47 TheFireWall filterlog: 9,16777216,,1000000103,bridge0,match,block,in,4,0x0,,64,19279,0,DF,1,icmp,84,192.168.2.10,192.168.2.12,request,13030,183164
      Apr  7 00:54:48 TheFireWall filterlog: 9,16777216,,1000000103,bridge0,match,block,in,4,0x0,,64,19284,0,DF,1,icmp,84,192.168.2.10,192.168.2.12,request,13030,183264
      Apr  7 00:54:49 TheFireWall filterlog: 9,16777216,,1000000103,bridge0,match,block,in,4,0x0,,64,19340,0,DF,1,icmp,84,192.168.2.10,192.168.2.12,request,13030,183364
      Apr  7 00:54:50 TheFireWall filterlog: 9,16777216,,1000000103,bridge0,match,block,in,4,0x0,,64,19538,0,DF,1,icmp,84,192.168.2.10,192.168.2.12,request,13030,183464
      Apr  7 00:54:51 TheFireWall filterlog: 9,16777216,,1000000103,bridge0,match,block,in,4,0x0,,64,19773,0,DF,1,icmp,84,192.168.2.10,192.168.2.12,request,13030,183564
      Apr  7 00:54:52 TheFireWall filterlog: 9,16777216,,1000000103,bridge0,match,block,in,4,0x0,,64,19800,0,DF,1,icmp,84,192.168.2.10,192.168.2.12,request,13030,183664
      Apr  7 00:54:53 TheFireWall filterlog: 9,16777216,,1000000103,bridge0,match,block,in,4,0x0,,64,19987,0,DF,1,icmp,84,192.168.2.10,192.168.2.12,request,13030,183764
      Apr  7 00:54:54 TheFireWall filterlog: 9,16777216,,1000000103,bridge0,match,block,in,4,0x0,,64,20126,0,DF,1,icmp,84,192.168.2.10,192.168.2.12,request,13030,183864
      Apr  7 00:54:55 TheFireWall filterlog: 7,16777216,,1000000101,igb0,match,block,in,4,0x0,,64,19955,0,none,17,udp,710,169.254.1.172,255.255.255.255,21302,21302,690
      Apr  7 00:54:55 TheFireWall filterlog: 9,16777216,,1000000103,bridge0,match,block,in,4,0x0,,64,20206,0,DF,1,icmp,84,192.168.2.10,192.168.2.12,request,13030,183964
      Apr  7 00:54:56 TheFireWall filterlog: 9,16777216,,1000000103,bridge0,match,block,in,4,0x0,,64,20280,0,DF,1,icmp,84,192.168.2.10,192.168.2.12,request,13030,184064
      Apr  7 00:54:57 TheFireWall filterlog: 7,16777216,,1000000101,igb0,match,block,in,4,0x0,,64,13308,0,none,17,udp,40,169.254.1.172,169.254.1.255,44393,5000,20
      Apr  7 00:54:57 TheFireWall filterlog: 9,16777216,,1000000103,bridge0,match,block,in,4,0x0,,64,20451,0,DF,1,icmp,84,192.168.2.10,192.168.2.12,request,13030,184164
      Apr  7 00:54:58 TheFireWall filterlog: 9,16777216,,1000000103,bridge0,match,block,in,4,0x0,,64,20649,0,DF,1,icmp,84,192.168.2.10,192.168.2.12,request,13030,184264
      Apr  7 00:54:59 TheFireWall filterlog: 9,16777216,,1000000103,bridge0,match,block,in,4,0x0,,64,20688,0,DF,1,icmp,84,192.168.2.10,192.168.2.12,request,13030,184364
      Apr  7 00:55:00 TheFireWall filterlog: 9,16777216,,1000000103,bridge0,match,block,in,4,0x0,,64,20710,0,DF,1,icmp,84,192.168.2.10,192.168.2.12,request,13030,184464

      Logs during DHCP request fail:
      Apr  7 00:57:32 TheFireWall filterlog: 90,16777216,,1428361429,bridge0,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.2.13,224.0.0.22,datalength=16
      Apr  7 00:57:32 TheFireWall filterlog: 90,16777216,,1428361429,igb3,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.2.13,224.0.0.22,datalength=16
      Apr  7 00:57:32 TheFireWall filterlog: 9,16777216,,1000000103,bridge0,match,block,in,4,0x0,,64,0,0,DF,17,udp,317,192.168.2.12,192.168.2.13,67,68,297
      Apr  7 00:57:35 TheFireWall filterlog: 90,16777216,,1428361429,bridge0,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.2.13,224.0.0.22,datalength=16
      Apr  7 00:57:35 TheFireWall filterlog: 90,16777216,,1428361429,bridge0,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.2.13,224.0.0.22,datalength=16
      Apr  7 00:57:35 TheFireWall filterlog: 90,16777216,,1428361429,igb3,ip-option,pass,in,4,0xc0,,1,0,0,DF,2,igmp,40,192.168.2.13,224.0.0.22,datalength=16
      Apr  7 00:57:35 TheFireWall filterlog: 7,16777216,,1000000101,igb0,match,block,in,4,0x0,,64,19971,0,none,17,udp,710,169.254.1.172,255.255.255.255,21302,21302,690
      Apr  7 00:57:38 TheFireWall filterlog: 5,16777216,,1000000003,igb0,match,block,in,6,0x00,0xf79b3,255,UDP,17,89,fe80::806:349d:ccb9:1b96,ff02::fb,5353,5353,89
      Apr  7 00:57:38 TheFireWall filterlog: 62,16777216,,1000001584,igb0,match,block,in,4,0x0,,255,27264,0,none,17,udp,109,192.168.1.5,224.0.0.251,5353,5353,89
      Apr  7 00:57:38 TheFireWall filterlog: 62,16777216,,1000001584,igb0,match,block,in,4,0x0,,4,0,0,DF,17,udp,208,192.168.1.6,239.255.255.250,1901,1900,188
      Apr  7 00:57:38 TheFireWall filterlog: 62,16777216,,1000001584,igb0,match,block,in,4,0x0,,64,0,0,DF,17,udp,208,192.168.1.6,255.255.255.255,1901,1900,188

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned last edited by

        I won't comment on bridging nor debug it, good luck. For your DHCP relay issue, see https://redmine.pfsense.org/issues/4558

        1 Reply Last reply Reply Quote 0
        • jahonix
          jahonix last edited by

          Bridging interfaces is not considered good practice. Better get a cheap switch which does it better.
          Other than that you would have to tweak some advanced settings to shift filtering to the bridge instead of the native interfaces (which probably is one of your problems).

          1 Reply Last reply Reply Quote 0
          • I
            iTestAndroid last edited by

            @doktornotor:

            I won't comment on bridging nor debug it, good luck. For your DHCP relay issue, see https://redmine.pfsense.org/issues/4558

            So @jahonix and @doktornotor

            So what I should do? That's more explanation of my situtation.

            So you say that bridging is not good. OK. I'm going to remove bridging. How can I use other 2-3 free interfaces? I will connect a switch to LAN and all ethernet cables will go in switch, but how about OPT1 and OPT2? Can I have different IP addresses on that two and let computer connect to OPT1 see computer connected to switch which is connected to LAN?

            Also why it blocks my Wifi (DD-WRT) administration page? Because of bridging you think?

            Thank you!

            1 Reply Last reply Reply Quote 0
            • jahonix
              jahonix last edited by

              Your pfSense IP on LAN is 192.168.2.1 (/24).
              Opt1 can be something like 10.0.1.1/24 and Opt2 maybe 192.168.3.1/24 - this means different subnets. Just leave them unconnected until you need them (and don't wire them to the same switch LAN is connected to!).

              I don't know about DD-WRT. It needs to be configured correctly and hooked up accordingly. That's your part.

              1 Reply Last reply Reply Quote 0
              • ?
                Guest last edited by

                So you say that bridging is not good.

                Bridge if you must, but route if you can!
                As considered alright a small Switch would do the job better!
                Netgear GS105E-200EUS ~35 € - 5 GB LAN Ports
                Netgear GS108E-200EUS ~45 € - 8 GB LAN Ports
                Netgear GS108T-200EUS ~70 € - 8 GB LAN Ports Webinterface, LAG, VLAN, ACLs,…
                D-Link DGS1510-20 ~200 € - 20 GB LAN, 2 SFP & 2SFP+ Ports, Layer3 feature set

                1 Reply Last reply Reply Quote 0
                • H
                  heper last edited by

                  netgear switches are evil :)

                  1 Reply Last reply Reply Quote 0
                  • jahonix
                    jahonix last edited by

                    I DID shut-up. But it was demanding…  8)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post