LAN and OPT1 have separate subnets - but I can ping and browse both
-
I am learning pFsense.
After successfully completing the basic pFsense LAN WAN two interface configuration I went the next step and assigned a 3 interface OPT1 to my system.
My System is configured as follows:
WAN -> emo > is attached to my cable modem and uses DHCP
LAN -> re1 -> 192.168.1.3/24 it is attached to a switch 1 which connects a small network composed of a server and 5 workstations
OPT1 ->re2 ->192.168.3.3/24 it is attached to switch 2 and to a standalone computerAfter assigning OPT1 I set NAT to use Manually Outbound NAT rule generation and enabled NAT on the WAN interface from 192.168.1.0/24 and from 192.168.3.0/24
I then added a Firewall rule to OPT1 to allow any traffic to pass to the WAN address. I did not change original rule on the LAN interface.
I can now get internet connectivity on both Networks – the one on switch 1 and the one on Switch 2.
But I have one issue to resolve: from Network 2 I can ping and browse systems on Network 1.
From 1 I can ping and browse systems on Network 2.Of course the reason behind using two separate interfaces and two separate subnets is to keep the two Networks isolated.
How do I resolve this issue?
-
Have to try adding firewall block rules?
For example on lan interface block source network OPT1 net
-
No. On OPT1 you would block destination LAN net.
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
-
"I then added a Firewall rule to OPT1 to allow any traffic to pass to the WAN address. "
That is not correct.. And you say internet is working? Are you running proxy.. Please post your rules.. The wan address of pfsense is not the internet ;)
If you want to block then yes you have to create block rules, or not allow.. For example you could on opt1 create rule that says allow any any ! lan net, this would allow those clients to go anywhere that is not the lan network.
And why would you create manual nat outbound - pfsense will do that for you automatic when you created the opt1 interface.
-
Thank you - Is this what you mean? See attached screen shot.
![pfSense.localdomain - Firewall_ Rules_ Edit.png](/public/imported_attachments/1/pfSense.localdomain - Firewall_ Rules_ Edit.png)
![pfSense.localdomain - Firewall_ Rules_ Edit.png_thumb](/public/imported_attachments/1/pfSense.localdomain - Firewall_ Rules_ Edit.png_thumb) -
NO it wouldn't be source on the LAN network.. It would be the dest
Post up your lan and opt1 rules and will point out what you have wrong. But I can tell you right now that a rule on opt1 that says wan address as dest if that is your only rule nothing should be working.
-
Hi Guys,
The Screen capturing the Rule attached to OPT1 is attached.
Regarding- automatic creation. When I "assigned: the Interface the rule was not created. I had to research how to do it and add it manually.
Was pFsense designed to do that automatcally? I am on 2.2.1
Thank you for your help
![pfSense.localdomain - Firewall_ Rules_ Edit OPT1.png](/public/imported_attachments/1/pfSense.localdomain - Firewall_ Rules_ Edit OPT1.png)
![pfSense.localdomain - Firewall_ Rules_ Edit OPT1.png_thumb](/public/imported_attachments/1/pfSense.localdomain - Firewall_ Rules_ Edit OPT1.png_thumb) -
Here is the LAN Rule
![pfSense.localdomain - Firewall_ Rules_ Edit LAN Rulr.png](/public/imported_attachments/1/pfSense.localdomain - Firewall_ Rules_ Edit LAN Rulr.png)
![pfSense.localdomain - Firewall_ Rules_ Edit LAN Rulr.png_thumb](/public/imported_attachments/1/pfSense.localdomain - Firewall_ Rules_ Edit LAN Rulr.png_thumb) -
Read the link I posted. Ask questions after you do so.
Here it is again.
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
-
Hi Guys,
Took a bit of time to go over the rules and think about them but I do not see the solution.
1.Logs - show no errors. Everything is working. Nothing is blocked
2.Intrface selection. Per screen shots I have one rule for the LAN one for OPT1.
3.Rule Ordering. I only set up two rules one for each Interface.
4.Protocols. I am dealing with common TCP trafic. nothing else
5.NAT Comfusion: Iam teling the WAN interface to transalte IPs coming from 192.168.1.0/24 and and 192.168.3.0 and it is doing this. This message is comming from a workstation at 192.168.1.7What am I missing?
-
Does your OPT1 rule still have a destination as WAN address? If so, that is wrong. That will allow OPT1 hosts to connect to the address on the WAN interface. Nothing more.
-
And here is my ARP Table
![pfSense.localdomain - Diagnostics_ ARP Table.png](/public/imported_attachments/1/pfSense.localdomain - Diagnostics_ ARP Table.png)
![pfSense.localdomain - Diagnostics_ ARP Table.png_thumb](/public/imported_attachments/1/pfSense.localdomain - Diagnostics_ ARP Table.png_thumb) -
Yes the OPT1 Rule has WAN address as the destination. What is the correcety serring?
-
If OPT1 clients can browse the public internet then you must have some other rule/s on OPT1. That rule passing just to WANaddress will NOT give internet access.
Read some docs about Firewall Rules: https://doc.pfsense.org/index.php/Category:Firewall_Rules
Basics, Processing Oder, Troubleshooting…
After teaching yourself maybe you will come back and post that you have it all sorted :)
Otherwise, post the Firewall Rules from each tab - LAN, OPT1, WAN - then we can see where you have got to and give advice. -
How hard is it to post your rules?? And we can walk you thru what your doing wrong and how to setup what you want.
look
here is lan - anything on lan can do whatever it wants, simple any any rules for ipv4 and ipv6
Now on my wlan (opt1)
First thing is I allow my ipad to do whatever it wants
I then allow ping to pfsense wlan address for testing that connectivity is working
I then allow anything on wlan to talk to my ntp server that is on my lan network on that .40 IP
I then allow anything on wlan to talk to pf for dns both ipv4 and 6
I then block anything on wlan from talking to pfsense, other than the above allowed icmp and dns for both ipv4 and ipv6
I then say and these are like the rules you will most likely want is anything on wlan to talk to anything they want on both ipv4 and ipv6 as long as it is NOT the lan network (192.168.1.0/24) in my setup. Where wlan is 192.168.2.0/24Now my dmz is bit more restrictive.
I again allow ping to pfsense dmz address 192.168.3.253 in my case, but only echoreq, notice the other was just icmp any you can get as restrictive or as open as you want.
I then allow dmz network to talk to pfsense dmz address for dns both ipv4 and ipv6 tcp and udp, yes dns can use tcp
I then block dmz net from talking to any other IP address on pfsense
I then allow dmz net to talk to anything it wants as long as it is NOT one of my ipv4 or ipv6 networks via a alias listNotice how I have all my networks listed, and then rules is NOT ! those address, so as long as the IP they want to go to is not in one of those networks then they can go there.
Keep in mind that rules are from the top down and first rule to trigger wins. So if your source and dest and ports match that rule will trigger. Traffic is blocked or allowed as it enters the specific interface your rules are on. Other than the floating tab that can do both in and out rules and are looked at first for ALL tabs. Most likely you will not have anything in your floating tab.
-
Thank you Guys!
I am learning a lot.
As you can see my set up is much simpler then Jonpoz's
Please see attached screen shots and let me know what I need to chage.
![pfSense.localdomain - Firewall_ Rules - LAN.png](/public/imported_attachments/1/pfSense.localdomain - Firewall_ Rules - LAN.png)
![pfSense.localdomain - Firewall_ Rules - LAN.png_thumb](/public/imported_attachments/1/pfSense.localdomain - Firewall_ Rules - LAN.png_thumb)
![pfSense.localdomain - Firewall_ Rules - OPT1.png](/public/imported_attachments/1/pfSense.localdomain - Firewall_ Rules - OPT1.png)
![pfSense.localdomain - Firewall_ Rules - OPT1.png_thumb](/public/imported_attachments/1/pfSense.localdomain - Firewall_ Rules - OPT1.png_thumb)
![pfSense.localdomain - Firewall_ Rules .png](/public/imported_attachments/1/pfSense.localdomain - Firewall_ Rules .png)
![pfSense.localdomain - Firewall_ Rules .png_thumb](/public/imported_attachments/1/pfSense.localdomain - Firewall_ Rules .png_thumb) -
You need to READ about how the firewall rules work. Once you do this, it will all become clear.
The link has been posted at least three times in this thread. -
Post what is in Floating rules.
There is no way that you can access the general internet with just that rule on OPT1. -
yes please post your floating rules. The rule on opt1 makes no sense that you would be able to go anywhere from opt1 other than the IP address of pfsense wan interface
-
Hi Guys - I did not set up any floating rules. See attached screen. ( I did not get to that chapter as yet. Trying to learen the basics).
![pfSense.localdomain - Firewall_ Rules - Floating Rule.png](/public/imported_attachments/1/pfSense.localdomain - Firewall_ Rules - Floating Rule.png)
![pfSense.localdomain - Firewall_ Rules - Floating Rule.png_thumb](/public/imported_attachments/1/pfSense.localdomain - Firewall_ Rules - Floating Rule.png_thumb)