Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Allow all between interfaces

    Scheduled Pinned Locked Moved Firewalling
    28 Posts 6 Posters 9.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Todd7912
      last edited by

      Hi All, I am sure this is really simple but I am not having any luck. I am using the LAN interface for local LAN connections and the OPT1 interface for Wifi. I have a Ubiquity WAP plugged in to OPT1. Both interfaces have internet access but nothing on either interface can talk to the other with the exception of the pfSense gui. I can access the gui from OPT1 and LAN. It might be worth mentioning that I could not access the gui from OPT1 until after I created a gateway for the LAN interface IP and for the OPT1 ip.

      In my firewall rules for the LAN at the top I have an allow any LAN net to OPT1 net and the OPT1 rule at the top is allow any OPT1 net to LAN net.

      The LAN ip range is 192.168.2.0/24 and the OPT1 range is 10.10.10.0/24. Both interface ips are .1 in their respective range.

      Everything I read seems to indicate that anything on either interface can talk to the other unless I create a rule telling them not to but that isn't happening, with or without the rules I created.

      1 Reply Last reply Reply Quote 0
      • T
        Todd7912
        last edited by

        I looked in the logs for traffic that was blocked and this is the error I have:

        "The rule that triggered this action is:

        @5(1000000103) block drop in log inet all label "Default Deny rule IPv4"

        I looked at all of my firewall rules and there is no "default deny rule IPV4"

        Any suggestions on where I should look for this?

        1 Reply Last reply Reply Quote 0
        • KOMK
          KOM
          last edited by

          We can't tell what you've really done based on your text description.  Post screenshots of your rules.  The Default Deny rule is a hidden rule that you can envision being at the very bottom of the list on each interface.  Rules are processed top-down, first-match.  If no rule matches, the traffic is blocked by the Default Deny rule.  Neither LAN nor OPT1 should have a defined gateway; only WAN should have a gateway.  By default, LAN has an Allow Any rule, but subsequent interfaces must have at least one rule manually added to allow traffic.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            If you want your lan and wifi to talk to each other without rules then whey did you not just plug your UAP into your lan network??

            Yes out of the box lan has a rule any any… So it would be able to talk to anything on the opt1 network... But opt1 has no rules out of the box as KOM explains.  So you would have to create rules..

            Attached is some examples that might help..  My lan can do anything it wants both on ipv4 or ipv6..

            But the devices on my wlan, which has some vlans as well on this physical interface.  And there are some wired devices on this wlan network segment like printers, my unifi controller, etc..  But this segment is locked down

            Will walk through the rules.

            so my IPad can do anything it wants to anywhere any any.
            Any device on wlan (192.168.2.0/24) can ping pfsense wlan interface (192.168.2.253) ipv4 or v6
            they can talk to my ntp server that is on lan segment
            they can talk dns to pfsense wlan int
            my AP can talk to pfsense for radius that is running on there per the radius package to auth wifi users.
            I then block ALL access to any other IP on the firewall, all services, etc. etc..
            I then allow anything ipv4 as long as not talking to an of my local rfc1918 networks
            I then allow any ipv6 traffic as long as not to any of my ipv6 networks the /64 and /48 I have from he.net

            rulesexample.png
            rulesexample.png_thumb

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • F
              FlashEngineer
              last edited by

              Hey I tried something similar but even with your last 2 rules, the vlan cannot access WAN/internet, is there a trick on the RFC1918 alias?  Because I had to do allow * From vlan net * * *  in order to work.  So I had to explicitly block access to other vlans.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                No trick needed, did you forget the NOT?  See the ! that says NOT rfc1918.. If you forget that than you would be just allowing traffic to rfc1918 space and not the internet.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • F
                  FlashEngineer
                  last edited by

                  @johnpoz:

                  No trick needed, did you forget the NOT?  See the ! that says NOT rfc1918.. If you forget that than you would be just allowing traffic to rfc1918 space and not the internet.

                  Yeah I have the ! in front of RFC1918

                  It seems I need a rule to the interface IP?

                  1 Reply Last reply Reply Quote 0
                  • KOMK
                    KOM
                    last edited by

                    Post screenshots of your rules.

                    Perhaps we could stop guessing what you're doing and see for ourselves?

                    1 Reply Last reply Reply Quote 0
                    • F
                      FlashEngineer
                      last edited by

                      This works, I need to add a rule to allow to the vlan's address in order to do anything wan related.  I was trying to make an internet only vlan

                      1 Reply Last reply Reply Quote 0
                      • KOMK
                        KOM
                        last edited by

                        What's in your rfc1918 alias?

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          VLAN28 address has nothing to do with traffic out the WAN. What you probably need is a pass rule for DNS being served by pfSense. What DNS servers are you giving to hosts on VLAN28 with DHCP, etc?

                          Don't confuse inability to resolve names with inability to pass traffic.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            ^ exactly you notice in my example rules I have dns open to the firewall interface in that network.

                            Clients on this segment use pfsense IP in that network as their dns.

                            What is the point of blocking traffic to vlan 13?  Is it not rfc1918 space?

                            You should allow what you want to the firewall, then block to firewall - because your rule that is allow ! rfc1918 is going to allow traffic to pfsense wan if it not rfc1918

                            allowdns.png
                            allowdns.png_thumb

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • F
                              FlashEngineer
                              last edited by

                              192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12

                              1 Reply Last reply Reply Quote 0
                              • F
                                FlashEngineer
                                last edited by

                                @Derelict:

                                VLAN28 address has nothing to do with traffic out the WAN. What you probably need is a pass rule for DNS being served by pfSense. What DNS servers are you giving to hosts on VLAN28 with DHCP, etc?

                                Don't confuse inability to resolve names with inability to pass traffic.

                                Still trying to understand the way pfsense administers DNS via the resolver or forwarder..  There was nothing like this on zeroshell, all it has was DNS static entries for each DHCP range.

                                I'm using PIA's dns servers which are defined in the General tab.  Not sure if they are pushed to the clients or not..

                                1 Reply Last reply Reply Quote 0
                                • F
                                  FlashEngineer
                                  last edited by

                                  @johnpoz:

                                  ^ exactly you notice in my example rules I have dns open to the firewall interface in that network.

                                  Clients on this segment use pfsense IP in that network as their dns.

                                  What is the point of blocking traffic to vlan 13?  Is it not rfc1918 space?

                                  You should allow what you want to the firewall, then block to firewall - because your rule that is allow ! rfc1918 is going to allow traffic to pfsense wan if it not rfc1918

                                  Was just reading this guy's blog:

                                  https://calvin.me/block-traffic-vlan-pfsense/

                                  He puts an explicit rule to block certain traffic to other vlans on his guest network.  I guess that doesn't matter when you have that rule with ! rfc1918.

                                  So for rule order, I would allow say, certain host address to allow to vlan## or to pfsense GUI (via alias I guess), then start blocking in general like the ! rfc1918 rule?

                                  Basically one vlan is setup so it has access to WAN, and few select hosts (say 192.168.15.203-205) can access another vlan's specific host (say 10.10.10.173),  the rest should be blocked off from accessing anything else other than WAN.  And of course no one can access PFgui except maybe 1 IP (my smartphone etc) or something like that.  Or I guess doesn't even have to since I have my admin vlan to access everything anyways.

                                  1 Reply Last reply Reply Quote 0
                                  • DerelictD
                                    Derelict LAYER 8 Netgate
                                    last edited by

                                    @FlashEngineer:

                                    @Derelict:

                                    VLAN28 address has nothing to do with traffic out the WAN. What you probably need is a pass rule for DNS being served by pfSense. What DNS servers are you giving to hosts on VLAN28 with DHCP, etc?

                                    Don't confuse inability to resolve names with inability to pass traffic.

                                    Still trying to understand the way pfsense administers DNS via the resolver or forwarder..  There was nothing like this on zeroshell, all it has was DNS static entries for each DHCP range.

                                    I'm using PIA's dns servers which are defined in the General tab.  Not sure if they are pushed to the clients or not..

                                    Well you kind of have to be sure. It's the thing that makes the most sense if the hosts are configured to use pfSense as their DNS server and adding that rule fixed "the internet."

                                    Chattanooga, Tennessee, USA
                                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                    1 Reply Last reply Reply Quote 0
                                    • DerelictD
                                      Derelict LAYER 8 Netgate
                                      last edited by

                                      That blog is a little old. Probably 2.1.5 since he didn't use This firewall.

                                      Here's is guest access in a nutshell:

                                      Pass the local assets guest hosts need (DNS, etc)
                                      Reject the local assets you don't want them to access (RFC1918, other VLANs, This firewall)
                                      Pass everything else (The internet)

                                      Chattanooga, Tennessee, USA
                                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • F
                                        FlashEngineer
                                        last edited by

                                        That sounds good, but to confirm can one of you post a good Guest Vlan setup?  Do I really need ping to pfsense?

                                        Here's my revised setup so far for "guest".

                                        1 Reply Last reply Reply Quote 0
                                        • F
                                          FlashEngineer
                                          last edited by

                                          @Derelict:

                                          @FlashEngineer:

                                          @Derelict:

                                          VLAN28 address has nothing to do with traffic out the WAN. What you probably need is a pass rule for DNS being served by pfSense. What DNS servers are you giving to hosts on VLAN28 with DHCP, etc?

                                          Don't confuse inability to resolve names with inability to pass traffic.

                                          Still trying to understand the way pfsense administers DNS via the resolver or forwarder..  There was nothing like this on zeroshell, all it has was DNS static entries for each DHCP range.

                                          I'm using PIA's dns servers which are defined in the General tab.  Not sure if they are pushed to the clients or not..

                                          Well you kind of have to be sure. It's the thing that makes the most sense if the hosts are configured to use pfSense as their DNS server and adding that rule fixed "the internet."

                                          Would it be possible to explain more on the DNS resolver or forwarder and how that works or what typical settings one would need on a simple home setup?  Like I mentioned before, this is what I have on Zeroshell in relation to DNS.


                                          1 Reply Last reply Reply Quote 0
                                          • H
                                            hda
                                            last edited by

                                            LookSee Reply#16, i.e. Allow internal to This Firewall 53 for DNS server.

                                            Server as Forwarder/cache; dispatch requests to DNS servers in System General Setup.
                                            Server as Resolver/cache; dispatch requests to "The Root Servers".

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.