NOOB Limit OPT interface access to WAN



  • I am sure that I'm just missing something here. I am new to pfsense, and don't have much experience with firewalls in general, but here;s the problem I'm having.

    I have 3 interfaces.

    WAN - DHCP Cable Modem
    LAN - 172.30.1/24 Wired Lan
    OPT1 - 10/24 Old 802.11b WAP

    I would like to limit OPT1 to allow only HTTP/HTTPS/SSH to WAN, SSH and RDP to LAN. I want to let my neighbor use it to browse the web, let my wife RDP from her laptop to the desktop, and let me hit my SSH server in the LAN and at Work. I can't seem to limit OPT1. I have spent hours googling and reading the forum to no avail. Maybe I just don't know what to search for.

    Anyway, I enabled OPT1, assigned it an IP, turned on DHCP. Then I went into Firewall Rules and added an entry in OPT1 to allow access everywhere. That seems to work fine.

    Then I deleted that rule and added rules to allow TCP80 and TCP443 to WAN address. Unable to reach google, yahoo, etc. So I figured maybe I needed to add DNS (even though DNS Forwarder is on), so I added a rule to allow UDP 53 to everywhere. Still nothing.

    I've tried everything I can think of. I manually created NATs for the two networks. I reset the config and did it again from scratch. I've reset the state table. Nothing works.

    Am I missing something? Any input would be appreciated.

    NAT:
    WAN 172.30.1.0/24 * * * * NO
    WAN 10.0.0.0/24 * * * * NO

    Firewall Rules: OPT1 (Works)

    • OPT1 net * * * *

    Firewall Rules: OPT1 (Doesn't work)
    TCP OPT1 net * WAN address 80(HTTP) *
    TCP OPT1 net * WAN address 443(HTTPS) *
    UDP OPT1 net * * 53(DNS) *

    Firewall Rules: OPT1 (Untested)
    TCP OPT1 net * LAN subnet 3389(MS RDP) *
    TCP OPT1 net * * 22(SSH) *

    pfsense Server: Old Dell Optiplex, P4 1Ghz, 256MB, 20GB, installed to disk
    Test Client: Toshiba Tecra 8200 running Xubuntu (Gutsy or Hardy, not sure which CD is in)



  • "WAN address" is exactly what it says.
    The IP of your WAN.

    Set that to any and it should work.
    (unless you only want to allow access to your WAN iIP ;D)



  • @GruensFroeschli:

    "WAN address" is exactly what it says.
    The IP of your WAN.

    Set that to any and it should work.
    (unless you only want to allow access to your WAN iIP ;D)

    Thank you so much. Seems to work now. That makes complete sense now. I figured I needed to specify WAN address, but what I really wanted was ! LAN subnet.

    I am such an idiot sometimes. Really appreciate the help. BTW, pfsense is fantastic. Nice job. When I convince my boss to start using it at work, I'll see if we can send a donation.


Log in to reply