• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Help - PFsense is not blocking traffic to a specific IP

Scheduled Pinned Locked Moved Firewalling
7 Posts 4 Posters 3.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L Offline
    luismoed
    last edited by Jan 10, 2016, 1:01 AM

    Hi,

    I think I am likely doing something wrong, but i cannot find the root cause.
    I do have a few interfaces up and running, my main intention is to block users to access the PFsense webgui (and ssh).
    I followed the tutorial to block access to "this firewall" which effectively block access to the PFS.
    the problem is, people can still access it from another subnet.
    In my case:
    subnet 192.168.10.0/24 –> LAN interface --> 192.168.10.1 is the PFSense IP address on this interface
    subnet 192.168.20.0/24 --> WLAN interface --> 192.168.20.1 is the PFSense IP address on this interface
    subnet 192.168.30.0/24 --> BTTV interface --> 192.168.30.1 is the PFSense IP address on this interface

    I can effective manage all users from LAN (192.168.10.1) to have access PFS on the address 192.168.10.1 blocked (rejected), but all of them can access PFsense on 192.168.20.1 or X.X.30.1
    Likewise, I can block all users from X.X.20.0/24 from access X.X.20.1, but all of them can access, X.X.10.1 or X.X.30.1. and so on all other interfaces...
    Also, what is even more strange to me, I do have rules to block access the traffic between the networks, so some user on X.X.10.0/24, cannot access anyone on X.X.20.0/24 or X.X.30.0/24, EXCEPT for the PFS IP.
    I even tried to deliberately block THE IP address 192.168.30.1 on the source network (for example the WLAN - X.X.20.0/24), but the clients are still able to log on PFS (on the 192.168.30.1), even if the IP is namely blocked and on the very 1st line of the config.
    everything else is working as intend.

    I do have squid and squidguard installed, but i am not sure if they would influence this at all....

    any ideas/hints?

    thanks!

    P.S. in time, I just did a test, and tried to access my WAN IP address... guess what... I CAN CONNECT THERE (and have the PFsense login page prompted) when the traffic started on the network (PFsense is also the PPPoE to BT), but once I tried to connect from an outside network (thankfully) the traffic is blocked...

    1 Reply Last reply Reply Quote 0
    • M Offline
      mer
      last edited by Jan 10, 2016, 12:01 PM

      Screenshots of firewall rules for all defined interfaces (don't forget any floating rules) would help.
      If you are trying this with traffic already established, it may be passing because of state information.  Under Diagnostics->show states, there is a "reset states" that will clear existing states.  That may help.

      1 Reply Last reply Reply Quote 0
      • J Online
        johnpoz LAYER 8 Global Moderator
        last edited by Jan 10, 2016, 12:37 PM

        Rules are evaluated from the top down on the interface the traffic would enter pfsense.

        If you want to block access to pfsense interfaces, then use the firewall alias in the dropdown.

        Example, my wlan guest can ping the interface to validate they are connected.  But other than that they can not talk to any IP at all on pfsense, be it wan, lan, whatever.  Then they can talk to any IP they want as long as its not an rfc1918 address.. ie they the internet.

        And yes a screenshot of your rules would be most helpful.

        wlanguestrules.png
        wlanguestrules.png_thumb

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        1 Reply Last reply Reply Quote 0
        • L Offline
          luismoed
          last edited by Jan 12, 2016, 8:27 PM Jan 10, 2016, 5:44 PM

          Hi,

          thanks for the initial input.
          PLease have a look on the FW rules.
          to make clear: LAN = 192.168.10.0/24 , wireless - 192.168.20.0/24

          any ideas?

          thanks again!

          1 Reply Last reply Reply Quote 0
          • L Offline
            luismoed
            last edited by Jan 12, 2016, 4:57 PM

            Anyone? Any idea?
            HELP  :) !

            1 Reply Last reply Reply Quote 0
            • K Offline
              KOM
              last edited by Jan 12, 2016, 8:07 PM Jan 12, 2016, 8:04 PM

              John basically told you what to do.  Add a firewall rule at the top on each interface that blocks access to This Firewall.  Rules are processed top-down, first-match.  He has an allow rule on top to allow pinging.  Next is the block for pfSense and last is an allow for everything non-private.

              1 Reply Last reply Reply Quote 0
              • L Offline
                luismoed
                last edited by Jan 12, 2016, 9:34 PM Jan 12, 2016, 8:18 PM

                EDIT:
                It is working NOW, but i had to open the port 53 (UDP) in order to have DNS working.

                thank you all

                –------------------------------------------------

                OPS!!!!
                I miss it. I haven't paid enough attention to the first sentence!
                Rules are evaluated from the top down on the interface the traffic would enter pfsense.""

                It is working now!

                thank you all for the help!:)

                1 Reply Last reply Reply Quote 0
                7 out of 7
                • First post
                  7/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received