No internet on LAN after changing rules



  • One of our routers has each port set a as separate interface.
    Each interface has it's own subnet.

    After copying the rules from another interface to the LAN, it seems to lose internet access.
    The machines (windows) indicate they have internet access, yet they can't actually reach the internet.
    Can anyone suggest a fix?

    LAN DHCP Address: 192.168.1.1

    Rules:
    
    Allow TCP/UDP port 53 from 192.168.1.0/24 to anywhere
    Block ALL from 192.168.1.0/24 to 192.168.0.0/16  (block access to all other networks)
    Allow TCP 80 from 192.168.1.0/24 to anywhere
    Allow TCP 443 from 192.168.1.0/24 to anywhere
    
    

  • Rebel Alliance



  • I'm sorry, there was a typo in the rules as I quoted them. I fixed the typo.
    I'm confused why these rules worked on the adapters, but not the LAN?
    (I've read those links)



  • Guessing here.

    Probably this

    Block ALL from 192.168.1.0/24 to 192.168.0.0**/16**  (block access to all other networks)

    You should probably have an allow rule so the LAN can talk to PFSense.



  • Thanks for the input. I'll be honest, it's a bit tough setting up pfsense when the documentation is not great.

    Pfsense uses FreeBSD's Packet Filter as it's base and begins with it's own 'invisible' rules-set outside what the user adds to the webGUI. It's tough to tell what is blockable and what's not (order of process in pf.conf) when working with the GUI. By default I would need 53, 67<->68, and for ipv6 additional ports open for core networking to function. My other adapters are working fine without opening ports other then 53.

    Do you know if there's documentation somewhere on what's blockable and what's not? I'm also confused as to why some interfaces work without a problem, but only the LAN complains.. I have 3 additional Ethernet ports that work fine.


  • LAYER 8 Netgate

    It's really not that hard.

    If a DHCP server is enabled, the DHCP packets are automatically passed.

    If IPSec is enabled, IPSec is passed.

    They seem to be getting away from automatic rules though. For instance OpenVPN server rules must be added manually.

    If you (or an automatic rule) doesn't pass traffic on an interface, it is blocked.

    I think everyone agrees there ought to be a way to see all automatic rules when you view an interface rule set.

    Other interfaces work fine and LAN complains because they're set up differently. While it's true that there are some default rules that your first LAN interface gets on install that subsequent interfaces do not get by default but that's the extent of it.  The interfaces behave the same. Duplicate the rules, (and DHCP servers, etc) and you'll duplicate the behavior.

    What are you trying to accomplish?



  • Thanks Derelict,

    When I first switched to pfsense my network was compromised shortly after an update was released. The attacker then used the router as a platform for attacking all networked machines which unfortunately had NetBIOS and/or other services running. The routers webGUI was on it's own empty interface and networked devices had no access to it.

    Later I did some simple testing and discovered pfsense can be identified as the router OS by remote portscan. In 2.2.3 (at least); by default pfsense's WAN interface rejects two ports, SSH (TCP 22) and another I forget off the top of my head, rather then dropping them. This was fixed by simply adding rules to block drop everything ipv4 and ipv6 in the WAN.

    I was worried the attack may have come from an infected machine on the network, thus I want to better isolate the router itself (block GUI, drop all, etc) and networked machines (isolate each machine on it's own interface). The network needs internet access of course.

    Is it more prudent to delete all automatically generated interfaces and start from scratch?


  • LAYER 8 Netgate

    by default pfsense's WAN interface rejects two ports, SSH (TCP 22) and another I forget off the top of my head

    I believe that to be false. There are no rules on WAN by default.

    I am not specifically blocking ssh on WAN and it's rejecting blocking.

    I suggest you post some evidence for your wild accusations.



  • @Derelict:

    by default pfsense's WAN interface rejects two ports, SSH (TCP 22) and another I forget off the top of my head

    I believe that to be false. There are no rules on WAN by default.

    I am not specifically blocking ssh on WAN and it's rejecting.

    I suggest you post some evidence for your wild accusations.

    I misphrased that. I meant one must specifically block drop 22 or it will reject for some reason.


  • LAYER 8 Netgate

    Doesn't do it here.  I don't specifically block 22 and it's blocked, not rejected.  Sounds like you had something hosed.



  • Damn..

    I'm curious Derelict, what procedure do you use to restore a compromised router?
    My use is residential and I lack any training in that area.

    I deleted all partitions and formated the primary storage fresh, then reinstalled the OS. I use SDCards with USB adapters to install from.

    Maybe I should open a thread.


  • LAYER 8 Netgate

    Doubt your router was compromised but if you really want to be sure, DBAN or otherwise wipe the disk or use a new SD, download fresh, check the signatures, and reinstall.  Don't reload a backup - reconfigure the whole thing.



  • Thanks for the advice.
    It's hard to miss when a router is port scanning a machine from 1-65535 from the dhcp address.. that's what happened before, that and the firewall log/syslog stopped running and wouldn't start.

    I imagine routers are a much bigger target today then normal computers are. For hackers it's like going for money train instead of the bank teller. Except in this case the train has no passengers or guards, just locks on the doors.


  • LAYER 8 Netgate

    Post some evidence that was what was happening.  Considering you say it was answering on tcp/22 when it doesn't makes me think you were not quite sure about what you were doing when you installed it and had it configured to do so without knowing it, or were forwarding port 22 inside and that device was rejecting the connection.



  • Windows doesn't use SSH, and each machine was configured to drop all. There were no other machines online.
    SSH was off by default and no forwarding was configured in pfsense.
    Long port scans were detected in windows firewall log and by antivirus-firewall logs.

    The router has since ceased that behavior after reinstall (with 2.2.4) on.

    I think pfsense is a reasonably secure platform, and the web-interface is great, but i'm tempted to switch to openbsd because the documentation is far better. What it comes down to for me is being able to see all the rules on an interface vs ease of use.


  • LAYER 8 Netgate

    Whatever floats your boat.  You can always look at the raw pf rules outside the GUI.

    Still say you're all wet saying pfSense by default responded NAK on TCP/22.


Log in to reply