Internet goes wired after implemented pfsense



  • Hi all,

    I have been surfing around this forum since I installed a pfsense. This is so powerful but yet a bit confusing to me.

    It's installing on HP COMPAQ D530

    Myself is a totally newbie to Linux, BSD. With limited knowledge about networking. Therefore, some terms for me are like strange. Hope I can learn some from you guys!

    The structure is like this.

    WAN [public IP]
    |  |
    |  |
    |  –- LAN [192.168.2.0/24]
    |
    –----OPT1 [192.168.10.0/24]

    I do have several doubts regarding firewall rules, may someone give me a hint, please?

    1. In order to make machines under LAN and OPT1 can ping/see eachother, what should I write in firewall rules? Because one printer is sitting in OPT1 subnet and everyone needs to use that.

    2. After installed pfsense, I can't access MSN, even though the uPnP Status shows the following:

    Port Protocol Internal IP Description

    | Port  | Protocal  |   Internal IP      | Description |

    | 54515 | udp      | 192.168.2.150    | MsnMsgr (192.168.2.150:12778) 54515 UDP  |
    | 51190 | udp      | 192.168.2.10      | MsnMsgr (192.168.2.10:13413) 51190 UDP  |

    However, at the same time, Google Talk and Skype have not problem to go online.

    Besides MSN, some web sites can not be accessed as well and I am sure they are all running. For instance, ebay and MY ISP's webmail But I can ping them.

    All firewalls in local machine are turned off so I suspect it was because the pfsense.

    Thanks for looking at this! And please give me a hand!

    Aldo



  • Regarding the conection issues to some sites and maybe msn: Maybe you need to lower the mtu at interface>wan. What kind of connection die you have at wan? Do you have the imspector package installed?

    Regarding the firewallrules:
    Rules are always applied on incoming traffic. This means, if you want to make the lan clients to be able to access the the opt clients the firewallrule has to go to the lan tab. The default lan to any rule will already take care of that as it allows the lan subnet to anywhere (unless you have modified it or added other rules on top of it). The reverse direction for this connection (opt1 to lan) will be handled by the state that gets created, but only if the connection was established from lan to opt1. In the default config opt1 is not able to go anywhere as there are no firewallrules on that interface. For just having a printer at the opt1 that should be reachable from lan this should be enough though. If you want to be able to establish connections from opt1 to lan or wan you need a rule on the opt1 tab too. Also note that rules are applied on first match (from the top to the bottom of the list). Below all the rules there is an invisible block all rule, so everyting not explicitly allowed will be blocked. What firewalrules you want to have at LAN and OPT1 basically depends on your needs (OPT1 should be a dmz for example or you want to firewall opt1 against lan but give opt1 access to wan or whatever).



  • Hi Hoba,

    Thanks for replying!

    I am on ADSL connection with a bridged modem connected in WAN interface.

    The connection issue of MSN happened just after pfsense installed, before and after implemented imspector package. The following picctures shows the log and setting

    imspector_log

    imspector_settings

    About the firewall rules between LAN and OPT1

    The default rule on LAN is enabled, allow any protocal from LAN subnet to any destination any port. And I make another same rule on OPT1 interface at the top only the source is OPT1 subnet.


    I got one machine in LAN [192.168.2.10], trying to ping a machine in OPT1 [192.168.10.199]. Only 'request timeout' I can get. However, from Disgnostics: Show States page, I can see the following just after I did that ping

    Well, there are still a lot to learn!

    Thanks again for your help!

    Aldo

    P.S.

    However, I can ping from LAN to OPT1 interface, but not the machine behind that

    Guess it was the router [linksys WRT54G] block the icmp packets?



  • And the reason that I said 'wired' was because some web pages can not be loaded in some circumstances…

    For one typical example, ebay.com.au, I am from Sydney.

    The main pages can only be displayed correctly in Firefox. When I tried to use IE, it said HTTP 408/409

    This error (HTTP 408 Request Timeout or HTTP 409 Conflict) means that the server took too long to display the page or there were too many people requesting the same webpage.
    
    

    IE 7.0.5730.13

    And I am not able to login into my ebay pages on both IE and firefox.

    When I checked the URL, the login page should be https://signin.ebay.com.au/, it was just loading unitl request timeout.

    Also the 'My eBay' page, it was trying to get http://my.ebay.com.au/ws/eBayISAPI.dll

    Was it because of https or the eBayISAPI.dll ?



  • Go to interfaces>wan and try to reduce your MTU. Try a value of 1472. If you still have issues with some pages try to reduce it even more. You also could try a value of 1400 to begin with, just to see if this is the cause of the issue. PPPoE usually has an MTU of 1492 but under some circumstances it has to be even lower (depending on your ISPs network). The closer you are to 1492 the bigger the packets that go through the lines can be.

    Your firewallrules are tcp/udp, Ping is protocol ICMP. Change the rules to read any protocol instead of tcp/udp.



  • YEA! Now they are all works after change MTU to 1472 not the 1500 by default from my ISP.

    Cheers and Thanks!  ;D ;D


Locked