Help - PFsense is not blocking traffic to a specific IP

luismoed · Jan 10, 2016, 1:01 AM

Hi,

I think I am likely doing something wrong, but i cannot find the root cause.
I do have a few interfaces up and running, my main intention is to block users to access the PFsense webgui (and ssh).
I followed the tutorial to block access to "this firewall" which effectively block access to the PFS.
the problem is, people can still access it from another subnet.
In my case:
subnet 192.168.10.0/24 –> LAN interface --> 192.168.10.1 is the PFSense IP address on this interface
subnet 192.168.20.0/24 --> WLAN interface --> 192.168.20.1 is the PFSense IP address on this interface
subnet 192.168.30.0/24 --> BTTV interface --> 192.168.30.1 is the PFSense IP address on this interface

I can effective manage all users from LAN (192.168.10.1) to have access PFS on the address 192.168.10.1 blocked (rejected), but all of them can access PFsense on 192.168.20.1 or X.X.30.1
Likewise, I can block all users from X.X.20.0/24 from access X.X.20.1, but all of them can access, X.X.10.1 or X.X.30.1. and so on all other interfaces...
Also, what is even more strange to me, I do have rules to block access the traffic between the networks, so some user on X.X.10.0/24, cannot access anyone on X.X.20.0/24 or X.X.30.0/24, EXCEPT for the PFS IP.
I even tried to deliberately block THE IP address 192.168.30.1 on the source network (for example the WLAN - X.X.20.0/24), but the clients are still able to log on PFS (on the 192.168.30.1), even if the IP is namely blocked and on the very 1st line of the config.
everything else is working as intend.

I do have squid and squidguard installed, but i am not sure if they would influence this at all....

any ideas/hints?

thanks!

P.S. in time, I just did a test, and tried to access my WAN IP address... guess what... I CAN CONNECT THERE (and have the PFsense login page prompted) when the traffic started on the network (PFsense is also the PPPoE to BT), but once I tried to connect from an outside network (thankfully) the traffic is blocked...

mer · Jan 10, 2016, 12:01 PM

Screenshots of firewall rules for all defined interfaces (don't forget any floating rules) would help.
If you are trying this with traffic already established, it may be passing because of state information. Under Diagnostics->show states, there is a "reset states" that will clear existing states. That may help.

johnpoz · Jan 10, 2016, 12:37 PM

Rules are evaluated from the top down on the interface the traffic would enter pfsense.

If you want to block access to pfsense interfaces, then use the firewall alias in the dropdown.

Example, my wlan guest can ping the interface to validate they are connected. But other than that they can not talk to any IP at all on pfsense, be it wan, lan, whatever. Then they can talk to any IP they want as long as its not an rfc1918 address.. ie they the internet.

And yes a screenshot of your rules would be most helpful.

luismoed · Jan 12, 2016, 8:27 PM

Hi,

thanks for the initial input.
PLease have a look on the FW rules.
to make clear: LAN = 192.168.10.0/24 , wireless - 192.168.20.0/24

any ideas?

thanks again!

luismoed · Jan 12, 2016, 4:57 PM

Anyone? Any idea?
HELP :) !

KOM · Jan 12, 2016, 8:07 PM

John basically told you what to do. Add a firewall rule at the top on each interface that blocks access to This Firewall. Rules are processed top-down, first-match. He has an allow rule on top to allow pinging. Next is the block for pfSense and last is an allow for everything non-private.

luismoed · Jan 12, 2016, 9:34 PM

EDIT:
It is working NOW, but i had to open the port 53 (UDP) in order to have DNS working.

thank you all

–------------------------------------------------

OPS!!!!
I miss it. I haven't paid enough attention to the first sentence!
Rules are evaluated from the top down on the interface the traffic would enter pfsense.""

It is working now!

thank you all for the help!:)