Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NOOB Limit OPT interface access to WAN

    Firewalling
    2
    3
    1.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jtaylor-ts
      last edited by

      I am sure that I'm just missing something here. I am new to pfsense, and don't have much experience with firewalls in general, but here;s the problem I'm having.

      I have 3 interfaces.

      WAN - DHCP Cable Modem
      LAN - 172.30.1/24 Wired Lan
      OPT1 - 10/24 Old 802.11b WAP

      I would like to limit OPT1 to allow only HTTP/HTTPS/SSH to WAN, SSH and RDP to LAN. I want to let my neighbor use it to browse the web, let my wife RDP from her laptop to the desktop, and let me hit my SSH server in the LAN and at Work. I can't seem to limit OPT1. I have spent hours googling and reading the forum to no avail. Maybe I just don't know what to search for.

      Anyway, I enabled OPT1, assigned it an IP, turned on DHCP. Then I went into Firewall Rules and added an entry in OPT1 to allow access everywhere. That seems to work fine.

      Then I deleted that rule and added rules to allow TCP80 and TCP443 to WAN address. Unable to reach google, yahoo, etc. So I figured maybe I needed to add DNS (even though DNS Forwarder is on), so I added a rule to allow UDP 53 to everywhere. Still nothing.

      I've tried everything I can think of. I manually created NATs for the two networks. I reset the config and did it again from scratch. I've reset the state table. Nothing works.

      Am I missing something? Any input would be appreciated.

      NAT:
      WAN 172.30.1.0/24 * * * * NO
      WAN 10.0.0.0/24 * * * * NO

      Firewall Rules: OPT1 (Works)

      • OPT1 net * * * *

      Firewall Rules: OPT1 (Doesn't work)
      TCP OPT1 net * WAN address 80(HTTP) *
      TCP OPT1 net * WAN address 443(HTTPS) *
      UDP OPT1 net * * 53(DNS) *

      Firewall Rules: OPT1 (Untested)
      TCP OPT1 net * LAN subnet 3389(MS RDP) *
      TCP OPT1 net * * 22(SSH) *

      pfsense Server: Old Dell Optiplex, P4 1Ghz, 256MB, 20GB, installed to disk
      Test Client: Toshiba Tecra 8200 running Xubuntu (Gutsy or Hardy, not sure which CD is in)

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        "WAN address" is exactly what it says.
        The IP of your WAN.

        Set that to any and it should work.
        (unless you only want to allow access to your WAN iIP ;D)

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • J
          jtaylor-ts
          last edited by

          @GruensFroeschli:

          "WAN address" is exactly what it says.
          The IP of your WAN.

          Set that to any and it should work.
          (unless you only want to allow access to your WAN iIP ;D)

          Thank you so much. Seems to work now. That makes complete sense now. I figured I needed to specify WAN address, but what I really wanted was ! LAN subnet.

          I am such an idiot sometimes. Really appreciate the help. BTW, pfsense is fantastic. Nice job. When I convince my boss to start using it at work, I'll see if we can send a donation.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.