Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Allow all between interfaces

    Firewalling
    6
    28
    7048
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Todd7912 last edited by

      Hi All, I am sure this is really simple but I am not having any luck. I am using the LAN interface for local LAN connections and the OPT1 interface for Wifi. I have a Ubiquity WAP plugged in to OPT1. Both interfaces have internet access but nothing on either interface can talk to the other with the exception of the pfSense gui. I can access the gui from OPT1 and LAN. It might be worth mentioning that I could not access the gui from OPT1 until after I created a gateway for the LAN interface IP and for the OPT1 ip.

      In my firewall rules for the LAN at the top I have an allow any LAN net to OPT1 net and the OPT1 rule at the top is allow any OPT1 net to LAN net.

      The LAN ip range is 192.168.2.0/24 and the OPT1 range is 10.10.10.0/24. Both interface ips are .1 in their respective range.

      Everything I read seems to indicate that anything on either interface can talk to the other unless I create a rule telling them not to but that isn't happening, with or without the rules I created.

      1 Reply Last reply Reply Quote 0
      • T
        Todd7912 last edited by

        I looked in the logs for traffic that was blocked and this is the error I have:

        "The rule that triggered this action is:

        @5(1000000103) block drop in log inet all label "Default Deny rule IPv4"

        I looked at all of my firewall rules and there is no "default deny rule IPV4"

        Any suggestions on where I should look for this?

        1 Reply Last reply Reply Quote 0
        • KOM
          KOM last edited by

          We can't tell what you've really done based on your text description.  Post screenshots of your rules.  The Default Deny rule is a hidden rule that you can envision being at the very bottom of the list on each interface.  Rules are processed top-down, first-match.  If no rule matches, the traffic is blocked by the Default Deny rule.  Neither LAN nor OPT1 should have a defined gateway; only WAN should have a gateway.  By default, LAN has an Allow Any rule, but subsequent interfaces must have at least one rule manually added to allow traffic.

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            If you want your lan and wifi to talk to each other without rules then whey did you not just plug your UAP into your lan network??

            Yes out of the box lan has a rule any any… So it would be able to talk to anything on the opt1 network... But opt1 has no rules out of the box as KOM explains.  So you would have to create rules..

            Attached is some examples that might help..  My lan can do anything it wants both on ipv4 or ipv6..

            But the devices on my wlan, which has some vlans as well on this physical interface.  And there are some wired devices on this wlan network segment like printers, my unifi controller, etc..  But this segment is locked down

            Will walk through the rules.

            so my IPad can do anything it wants to anywhere any any.
            Any device on wlan (192.168.2.0/24) can ping pfsense wlan interface (192.168.2.253) ipv4 or v6
            they can talk to my ntp server that is on lan segment
            they can talk dns to pfsense wlan int
            my AP can talk to pfsense for radius that is running on there per the radius package to auth wifi users.
            I then block ALL access to any other IP on the firewall, all services, etc. etc..
            I then allow anything ipv4 as long as not talking to an of my local rfc1918 networks
            I then allow any ipv6 traffic as long as not to any of my ipv6 networks the /64 and /48 I have from he.net


            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

            1 Reply Last reply Reply Quote 0
            • F
              FlashEngineer last edited by

              Hey I tried something similar but even with your last 2 rules, the vlan cannot access WAN/internet, is there a trick on the RFC1918 alias?  Because I had to do allow * From vlan net * * *  in order to work.  So I had to explicitly block access to other vlans.

              1 Reply Last reply Reply Quote 0
              • johnpoz
                johnpoz LAYER 8 Global Moderator last edited by

                No trick needed, did you forget the NOT?  See the ! that says NOT rfc1918.. If you forget that than you would be just allowing traffic to rfc1918 space and not the internet.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                1 Reply Last reply Reply Quote 0
                • F
                  FlashEngineer last edited by

                  @johnpoz:

                  No trick needed, did you forget the NOT?  See the ! that says NOT rfc1918.. If you forget that than you would be just allowing traffic to rfc1918 space and not the internet.

                  Yeah I have the ! in front of RFC1918

                  It seems I need a rule to the interface IP?

                  1 Reply Last reply Reply Quote 0
                  • KOM
                    KOM last edited by

                    Post screenshots of your rules.

                    Perhaps we could stop guessing what you're doing and see for ourselves?

                    1 Reply Last reply Reply Quote 0
                    • F
                      FlashEngineer last edited by

                      This works, I need to add a rule to allow to the vlan's address in order to do anything wan related.  I was trying to make an internet only vlan

                      1 Reply Last reply Reply Quote 0
                      • KOM
                        KOM last edited by

                        What's in your rfc1918 alias?

                        1 Reply Last reply Reply Quote 0
                        • Derelict
                          Derelict LAYER 8 Netgate last edited by

                          VLAN28 address has nothing to do with traffic out the WAN. What you probably need is a pass rule for DNS being served by pfSense. What DNS servers are you giving to hosts on VLAN28 with DHCP, etc?

                          Don't confuse inability to resolve names with inability to pass traffic.

                          Chattanooga, Tennessee, USA
                          The pfSense Book is free of charge!
                          DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • johnpoz
                            johnpoz LAYER 8 Global Moderator last edited by

                            ^ exactly you notice in my example rules I have dns open to the firewall interface in that network.

                            Clients on this segment use pfsense IP in that network as their dns.

                            What is the point of blocking traffic to vlan 13?  Is it not rfc1918 space?

                            You should allow what you want to the firewall, then block to firewall - because your rule that is allow ! rfc1918 is going to allow traffic to pfsense wan if it not rfc1918


                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                            1 Reply Last reply Reply Quote 0
                            • F
                              FlashEngineer last edited by

                              192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12

                              1 Reply Last reply Reply Quote 0
                              • F
                                FlashEngineer last edited by

                                @Derelict:

                                VLAN28 address has nothing to do with traffic out the WAN. What you probably need is a pass rule for DNS being served by pfSense. What DNS servers are you giving to hosts on VLAN28 with DHCP, etc?

                                Don't confuse inability to resolve names with inability to pass traffic.

                                Still trying to understand the way pfsense administers DNS via the resolver or forwarder..  There was nothing like this on zeroshell, all it has was DNS static entries for each DHCP range.

                                I'm using PIA's dns servers which are defined in the General tab.  Not sure if they are pushed to the clients or not..

                                1 Reply Last reply Reply Quote 0
                                • F
                                  FlashEngineer last edited by

                                  @johnpoz:

                                  ^ exactly you notice in my example rules I have dns open to the firewall interface in that network.

                                  Clients on this segment use pfsense IP in that network as their dns.

                                  What is the point of blocking traffic to vlan 13?  Is it not rfc1918 space?

                                  You should allow what you want to the firewall, then block to firewall - because your rule that is allow ! rfc1918 is going to allow traffic to pfsense wan if it not rfc1918

                                  Was just reading this guy's blog:

                                  https://calvin.me/block-traffic-vlan-pfsense/

                                  He puts an explicit rule to block certain traffic to other vlans on his guest network.  I guess that doesn't matter when you have that rule with ! rfc1918.

                                  So for rule order, I would allow say, certain host address to allow to vlan## or to pfsense GUI (via alias I guess), then start blocking in general like the ! rfc1918 rule?

                                  Basically one vlan is setup so it has access to WAN, and few select hosts (say 192.168.15.203-205) can access another vlan's specific host (say 10.10.10.173),  the rest should be blocked off from accessing anything else other than WAN.  And of course no one can access PFgui except maybe 1 IP (my smartphone etc) or something like that.  Or I guess doesn't even have to since I have my admin vlan to access everything anyways.

                                  1 Reply Last reply Reply Quote 0
                                  • Derelict
                                    Derelict LAYER 8 Netgate last edited by

                                    @FlashEngineer:

                                    @Derelict:

                                    VLAN28 address has nothing to do with traffic out the WAN. What you probably need is a pass rule for DNS being served by pfSense. What DNS servers are you giving to hosts on VLAN28 with DHCP, etc?

                                    Don't confuse inability to resolve names with inability to pass traffic.

                                    Still trying to understand the way pfsense administers DNS via the resolver or forwarder..  There was nothing like this on zeroshell, all it has was DNS static entries for each DHCP range.

                                    I'm using PIA's dns servers which are defined in the General tab.  Not sure if they are pushed to the clients or not..

                                    Well you kind of have to be sure. It's the thing that makes the most sense if the hosts are configured to use pfSense as their DNS server and adding that rule fixed "the internet."

                                    Chattanooga, Tennessee, USA
                                    The pfSense Book is free of charge!
                                    DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                    1 Reply Last reply Reply Quote 0
                                    • Derelict
                                      Derelict LAYER 8 Netgate last edited by

                                      That blog is a little old. Probably 2.1.5 since he didn't use This firewall.

                                      Here's is guest access in a nutshell:

                                      Pass the local assets guest hosts need (DNS, etc)
                                      Reject the local assets you don't want them to access (RFC1918, other VLANs, This firewall)
                                      Pass everything else (The internet)

                                      Chattanooga, Tennessee, USA
                                      The pfSense Book is free of charge!
                                      DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • F
                                        FlashEngineer last edited by

                                        That sounds good, but to confirm can one of you post a good Guest Vlan setup?  Do I really need ping to pfsense?

                                        Here's my revised setup so far for "guest".

                                        1 Reply Last reply Reply Quote 0
                                        • F
                                          FlashEngineer last edited by

                                          @Derelict:

                                          @FlashEngineer:

                                          @Derelict:

                                          VLAN28 address has nothing to do with traffic out the WAN. What you probably need is a pass rule for DNS being served by pfSense. What DNS servers are you giving to hosts on VLAN28 with DHCP, etc?

                                          Don't confuse inability to resolve names with inability to pass traffic.

                                          Still trying to understand the way pfsense administers DNS via the resolver or forwarder..  There was nothing like this on zeroshell, all it has was DNS static entries for each DHCP range.

                                          I'm using PIA's dns servers which are defined in the General tab.  Not sure if they are pushed to the clients or not..

                                          Well you kind of have to be sure. It's the thing that makes the most sense if the hosts are configured to use pfSense as their DNS server and adding that rule fixed "the internet."

                                          Would it be possible to explain more on the DNS resolver or forwarder and how that works or what typical settings one would need on a simple home setup?  Like I mentioned before, this is what I have on Zeroshell in relation to DNS.


                                          1 Reply Last reply Reply Quote 0
                                          • H
                                            hda last edited by

                                            LookSee Reply#16, i.e. Allow internal to This Firewall 53 for DNS server.

                                            Server as Forwarder/cache; dispatch requests to DNS servers in System General Setup.
                                            Server as Resolver/cache; dispatch requests to "The Root Servers".

                                            1 Reply Last reply Reply Quote 0
                                            • Derelict
                                              Derelict LAYER 8 Netgate last edited by

                                              You need ping if you need ping. You don't if you don't.

                                              I, personally, pass ping to the users' default gateway and DNS servers as a matter of courtesy in case someone clueful is trying to debug something.

                                              I don't know why you don't pass what you want them to access then reject any to This firewall. Then reject any to RFC1918. Then pass any.

                                              The only time what won't work is if you have subnets on public addresses then you'll need another alias for those.

                                              I would love to see a Local subnets automatic alias like This firewall.

                                              Chattanooga, Tennessee, USA
                                              The pfSense Book is free of charge!
                                              DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                              1 Reply Last reply Reply Quote 0
                                              • johnpoz
                                                johnpoz LAYER 8 Global Moderator last edited by

                                                With Derelict here, this is right on target

                                                Pass the local assets guest hosts need (DNS, etc)
                                                Reject the local assets you don't want them to access (RFC1918, other VLANs, This firewall)
                                                Pass everything else (The internet)

                                                There is never going to be a perfect setup that you can just clone because every setup is different..  If you don't understand the concepts even at a basic level and are just wanting to copy a config your in trouble.  Maybe you should just stick with a off the shelf device that doesn't really even allow you control..

                                                Out of the box pfsense does not provide authoritative name server, like bind can be authoritative..  dnsmasq (forwarder) and unbound (resolver) are not really meant to be authoritative for any domain.  If what you want is an authoritative name server, then install the bind package in pfsense.  Bind can then either forward or resolve.  You don't seem to understand the difference between a forwarder and a resolver??  If that is the case your most likely going to be happy with just the forwarder.  Your clients ask pfsense for www.google.com, it forwards that to the name servers you put in the general tab.  Simple…

                                                edit: forwarder not resolver, edited..

                                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                                If you get confused: Listen to the Music Play
                                                Please don't Chat/PM me for help, unless mod related
                                                2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                                                1 Reply Last reply Reply Quote 0
                                                • F
                                                  FlashEngineer last edited by

                                                  @johnpoz:

                                                  With Derelict here, this is right on target

                                                  Pass the local assets guest hosts need (DNS, etc)
                                                  Reject the local assets you don't want them to access (RFC1918, other VLANs, This firewall)
                                                  Pass everything else (The internet)

                                                  There is never going to be a perfect setup that you can just clone because every setup is different..  If you don't understand the concepts even at a basic level and are just wanting to copy a config your in trouble.  Maybe you should just stick with a off the shelf device that doesn't really even allow you control..

                                                  Out of the box pfsense does not provide authoritative name server, like bind can be authoritative..  dnsmasq (forwarder) and unbound (resolver) are not really meant to be authoritative for any domain.  If what you want is an authoritative name server, then install the bind package in pfsense.  Bind can then either forward or resolve.  You don't seem to understand the difference between a forwarder and a resolver??  If that is the case your most likely going to be happy with just the resolver.  Your clients ask pfsense for www.google.com, it forwards that to the name servers you put in the general tab.  Simple…

                                                  It's a given there's never a perfect setup but I prefer starting from an example which most people use and work off from there.  Doing from scratch I may miss a rule that should be in place.  I understand the rules but just don't know which to apply want to make sure the order is correct.

                                                  Example I'm used to in ZS would be, everything is blocking between vlan but then I allow a rule for a single host or range to access another vlan's full subnet or just another single host.  There isn't any need for "allow" **** in ZS so that's a new concept to me.  Also in ZS, I don't need to allow DNS (53) in order to resolve internet addresses, since the way ZS works is with iptables, using the forwarding chain as the main filter between interfaces/vlans.  Totally different concept, hence why I just wanted a example of rules most people use then I work off from there obviously.

                                                  1 Reply Last reply Reply Quote 0
                                                  • johnpoz
                                                    johnpoz LAYER 8 Global Moderator last edited by

                                                    so my example given would be a start, just leave out the ipad rule I have in place to allow my ipad to go where ever it wants.

                                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                                    If you get confused: Listen to the Music Play
                                                    Please don't Chat/PM me for help, unless mod related
                                                    2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                                                    1 Reply Last reply Reply Quote 0
                                                    • F
                                                      FlashEngineer last edited by

                                                      @johnpoz:

                                                      so my example given would be a start, just leave out the ipad rule I have in place to allow my ipad to go where ever it wants.

                                                      Sounds good, so basically

                                                      client specific rules to allow
                                                      allow DNS
                                                      block webui
                                                      !RFC1918 disallows to any other local network but passes all other traffic to WAN

                                                      In terms of blocking, is the last 2 sufficient on a guest only vlan?

                                                      1 Reply Last reply Reply Quote 0
                                                      • johnpoz
                                                        johnpoz LAYER 8 Global Moderator last edited by

                                                        depends!  Are there some vlans you want the guest to talk to?

                                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                                        If you get confused: Listen to the Music Play
                                                        Please don't Chat/PM me for help, unless mod related
                                                        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                                                        1 Reply Last reply Reply Quote 0
                                                        • F
                                                          FlashEngineer last edited by

                                                          @johnpoz:

                                                          depends!  Are there some vlans you want the guest to talk to?

                                                          Not for true guest, I want it basically strictly internet/wan only.  There are some vlans I would permit some limited access to certain hosts on another vlan but that's easily done with the specific allow rules placed at the top of the list correct?

                                                          1 Reply Last reply Reply Quote 0
                                                          • Derelict
                                                            Derelict LAYER 8 Netgate last edited by

                                                            Don't get wrapped around the axle about blocking the webgui. Block everything to destination This firewall after passing what they need to have access to like DNS.

                                                            Chattanooga, Tennessee, USA
                                                            The pfSense Book is free of charge!
                                                            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                                            1 Reply Last reply Reply Quote 0
                                                            • First post
                                                              Last post