Allow all between interfaces



  • Hi All, I am sure this is really simple but I am not having any luck. I am using the LAN interface for local LAN connections and the OPT1 interface for Wifi. I have a Ubiquity WAP plugged in to OPT1. Both interfaces have internet access but nothing on either interface can talk to the other with the exception of the pfSense gui. I can access the gui from OPT1 and LAN. It might be worth mentioning that I could not access the gui from OPT1 until after I created a gateway for the LAN interface IP and for the OPT1 ip.

    In my firewall rules for the LAN at the top I have an allow any LAN net to OPT1 net and the OPT1 rule at the top is allow any OPT1 net to LAN net.

    The LAN ip range is 192.168.2.0/24 and the OPT1 range is 10.10.10.0/24. Both interface ips are .1 in their respective range.

    Everything I read seems to indicate that anything on either interface can talk to the other unless I create a rule telling them not to but that isn't happening, with or without the rules I created.



  • I looked in the logs for traffic that was blocked and this is the error I have:

    "The rule that triggered this action is:

    @5(1000000103) block drop in log inet all label "Default Deny rule IPv4"

    I looked at all of my firewall rules and there is no "default deny rule IPV4"

    Any suggestions on where I should look for this?



  • We can't tell what you've really done based on your text description.  Post screenshots of your rules.  The Default Deny rule is a hidden rule that you can envision being at the very bottom of the list on each interface.  Rules are processed top-down, first-match.  If no rule matches, the traffic is blocked by the Default Deny rule.  Neither LAN nor OPT1 should have a defined gateway; only WAN should have a gateway.  By default, LAN has an Allow Any rule, but subsequent interfaces must have at least one rule manually added to allow traffic.


  • Rebel Alliance Global Moderator

    If you want your lan and wifi to talk to each other without rules then whey did you not just plug your UAP into your lan network??

    Yes out of the box lan has a rule any any… So it would be able to talk to anything on the opt1 network... But opt1 has no rules out of the box as KOM explains.  So you would have to create rules..

    Attached is some examples that might help..  My lan can do anything it wants both on ipv4 or ipv6..

    But the devices on my wlan, which has some vlans as well on this physical interface.  And there are some wired devices on this wlan network segment like printers, my unifi controller, etc..  But this segment is locked down

    Will walk through the rules.

    so my IPad can do anything it wants to anywhere any any.
    Any device on wlan (192.168.2.0/24) can ping pfsense wlan interface (192.168.2.253) ipv4 or v6
    they can talk to my ntp server that is on lan segment
    they can talk dns to pfsense wlan int
    my AP can talk to pfsense for radius that is running on there per the radius package to auth wifi users.
    I then block ALL access to any other IP on the firewall, all services, etc. etc..
    I then allow anything ipv4 as long as not talking to an of my local rfc1918 networks
    I then allow any ipv6 traffic as long as not to any of my ipv6 networks the /64 and /48 I have from he.net




  • Hey I tried something similar but even with your last 2 rules, the vlan cannot access WAN/internet, is there a trick on the RFC1918 alias?  Because I had to do allow * From vlan net * * *  in order to work.  So I had to explicitly block access to other vlans.


  • Rebel Alliance Global Moderator

    No trick needed, did you forget the NOT?  See the ! that says NOT rfc1918.. If you forget that than you would be just allowing traffic to rfc1918 space and not the internet.



  • @johnpoz:

    No trick needed, did you forget the NOT?  See the ! that says NOT rfc1918.. If you forget that than you would be just allowing traffic to rfc1918 space and not the internet.

    Yeah I have the ! in front of RFC1918

    It seems I need a rule to the interface IP?



  • Post screenshots of your rules.

    Perhaps we could stop guessing what you're doing and see for ourselves?



  • This works, I need to add a rule to allow to the vlan's address in order to do anything wan related.  I was trying to make an internet only vlan



  • What's in your rfc1918 alias?


  • Netgate

    VLAN28 address has nothing to do with traffic out the WAN. What you probably need is a pass rule for DNS being served by pfSense. What DNS servers are you giving to hosts on VLAN28 with DHCP, etc?

    Don't confuse inability to resolve names with inability to pass traffic.


  • Rebel Alliance Global Moderator

    ^ exactly you notice in my example rules I have dns open to the firewall interface in that network.

    Clients on this segment use pfsense IP in that network as their dns.

    What is the point of blocking traffic to vlan 13?  Is it not rfc1918 space?

    You should allow what you want to the firewall, then block to firewall - because your rule that is allow ! rfc1918 is going to allow traffic to pfsense wan if it not rfc1918




  • 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12



  • @Derelict:

    VLAN28 address has nothing to do with traffic out the WAN. What you probably need is a pass rule for DNS being served by pfSense. What DNS servers are you giving to hosts on VLAN28 with DHCP, etc?

    Don't confuse inability to resolve names with inability to pass traffic.

    Still trying to understand the way pfsense administers DNS via the resolver or forwarder..  There was nothing like this on zeroshell, all it has was DNS static entries for each DHCP range.

    I'm using PIA's dns servers which are defined in the General tab.  Not sure if they are pushed to the clients or not..



  • @johnpoz:

    ^ exactly you notice in my example rules I have dns open to the firewall interface in that network.

    Clients on this segment use pfsense IP in that network as their dns.

    What is the point of blocking traffic to vlan 13?  Is it not rfc1918 space?

    You should allow what you want to the firewall, then block to firewall - because your rule that is allow ! rfc1918 is going to allow traffic to pfsense wan if it not rfc1918

    Was just reading this guy's blog:

    https://calvin.me/block-traffic-vlan-pfsense/

    He puts an explicit rule to block certain traffic to other vlans on his guest network.  I guess that doesn't matter when you have that rule with ! rfc1918.

    So for rule order, I would allow say, certain host address to allow to vlan## or to pfsense GUI (via alias I guess), then start blocking in general like the ! rfc1918 rule?

    Basically one vlan is setup so it has access to WAN, and few select hosts (say 192.168.15.203-205) can access another vlan's specific host (say 10.10.10.173),  the rest should be blocked off from accessing anything else other than WAN.  And of course no one can access PFgui except maybe 1 IP (my smartphone etc) or something like that.  Or I guess doesn't even have to since I have my admin vlan to access everything anyways.


  • Netgate

    @FlashEngineer:

    @Derelict:

    VLAN28 address has nothing to do with traffic out the WAN. What you probably need is a pass rule for DNS being served by pfSense. What DNS servers are you giving to hosts on VLAN28 with DHCP, etc?

    Don't confuse inability to resolve names with inability to pass traffic.

    Still trying to understand the way pfsense administers DNS via the resolver or forwarder..  There was nothing like this on zeroshell, all it has was DNS static entries for each DHCP range.

    I'm using PIA's dns servers which are defined in the General tab.  Not sure if they are pushed to the clients or not..

    Well you kind of have to be sure. It's the thing that makes the most sense if the hosts are configured to use pfSense as their DNS server and adding that rule fixed "the internet."


  • Netgate

    That blog is a little old. Probably 2.1.5 since he didn't use This firewall.

    Here's is guest access in a nutshell:

    Pass the local assets guest hosts need (DNS, etc)
    Reject the local assets you don't want them to access (RFC1918, other VLANs, This firewall)
    Pass everything else (The internet)



  • That sounds good, but to confirm can one of you post a good Guest Vlan setup?  Do I really need ping to pfsense?

    Here's my revised setup so far for "guest".



  • @Derelict:

    @FlashEngineer:

    @Derelict:

    VLAN28 address has nothing to do with traffic out the WAN. What you probably need is a pass rule for DNS being served by pfSense. What DNS servers are you giving to hosts on VLAN28 with DHCP, etc?

    Don't confuse inability to resolve names with inability to pass traffic.

    Still trying to understand the way pfsense administers DNS via the resolver or forwarder..  There was nothing like this on zeroshell, all it has was DNS static entries for each DHCP range.

    I'm using PIA's dns servers which are defined in the General tab.  Not sure if they are pushed to the clients or not..

    Well you kind of have to be sure. It's the thing that makes the most sense if the hosts are configured to use pfSense as their DNS server and adding that rule fixed "the internet."

    Would it be possible to explain more on the DNS resolver or forwarder and how that works or what typical settings one would need on a simple home setup?  Like I mentioned before, this is what I have on Zeroshell in relation to DNS.




  • LookSee Reply#16, i.e. Allow internal to This Firewall 53 for DNS server.

    Server as Forwarder/cache; dispatch requests to DNS servers in System General Setup.
    Server as Resolver/cache; dispatch requests to "The Root Servers".


  • Netgate

    You need ping if you need ping. You don't if you don't.

    I, personally, pass ping to the users' default gateway and DNS servers as a matter of courtesy in case someone clueful is trying to debug something.

    I don't know why you don't pass what you want them to access then reject any to This firewall. Then reject any to RFC1918. Then pass any.

    The only time what won't work is if you have subnets on public addresses then you'll need another alias for those.

    I would love to see a Local subnets automatic alias like This firewall.


  • Rebel Alliance Global Moderator

    With Derelict here, this is right on target

    Pass the local assets guest hosts need (DNS, etc)
    Reject the local assets you don't want them to access (RFC1918, other VLANs, This firewall)
    Pass everything else (The internet)

    There is never going to be a perfect setup that you can just clone because every setup is different..  If you don't understand the concepts even at a basic level and are just wanting to copy a config your in trouble.  Maybe you should just stick with a off the shelf device that doesn't really even allow you control..

    Out of the box pfsense does not provide authoritative name server, like bind can be authoritative..  dnsmasq (forwarder) and unbound (resolver) are not really meant to be authoritative for any domain.  If what you want is an authoritative name server, then install the bind package in pfsense.  Bind can then either forward or resolve.  You don't seem to understand the difference between a forwarder and a resolver??  If that is the case your most likely going to be happy with just the forwarder.  Your clients ask pfsense for www.google.com, it forwards that to the name servers you put in the general tab.  Simple…

    edit: forwarder not resolver, edited..



  • @johnpoz:

    With Derelict here, this is right on target

    Pass the local assets guest hosts need (DNS, etc)
    Reject the local assets you don't want them to access (RFC1918, other VLANs, This firewall)
    Pass everything else (The internet)

    There is never going to be a perfect setup that you can just clone because every setup is different..  If you don't understand the concepts even at a basic level and are just wanting to copy a config your in trouble.  Maybe you should just stick with a off the shelf device that doesn't really even allow you control..

    Out of the box pfsense does not provide authoritative name server, like bind can be authoritative..  dnsmasq (forwarder) and unbound (resolver) are not really meant to be authoritative for any domain.  If what you want is an authoritative name server, then install the bind package in pfsense.  Bind can then either forward or resolve.  You don't seem to understand the difference between a forwarder and a resolver??  If that is the case your most likely going to be happy with just the resolver.  Your clients ask pfsense for www.google.com, it forwards that to the name servers you put in the general tab.  Simple…

    It's a given there's never a perfect setup but I prefer starting from an example which most people use and work off from there.  Doing from scratch I may miss a rule that should be in place.  I understand the rules but just don't know which to apply want to make sure the order is correct.

    Example I'm used to in ZS would be, everything is blocking between vlan but then I allow a rule for a single host or range to access another vlan's full subnet or just another single host.  There isn't any need for "allow" **** in ZS so that's a new concept to me.  Also in ZS, I don't need to allow DNS (53) in order to resolve internet addresses, since the way ZS works is with iptables, using the forwarding chain as the main filter between interfaces/vlans.  Totally different concept, hence why I just wanted a example of rules most people use then I work off from there obviously.


  • Rebel Alliance Global Moderator

    so my example given would be a start, just leave out the ipad rule I have in place to allow my ipad to go where ever it wants.



  • @johnpoz:

    so my example given would be a start, just leave out the ipad rule I have in place to allow my ipad to go where ever it wants.

    Sounds good, so basically

    client specific rules to allow
    allow DNS
    block webui
    !RFC1918 disallows to any other local network but passes all other traffic to WAN

    In terms of blocking, is the last 2 sufficient on a guest only vlan?


  • Rebel Alliance Global Moderator

    depends!  Are there some vlans you want the guest to talk to?



  • @johnpoz:

    depends!  Are there some vlans you want the guest to talk to?

    Not for true guest, I want it basically strictly internet/wan only.  There are some vlans I would permit some limited access to certain hosts on another vlan but that's easily done with the specific allow rules placed at the top of the list correct?


  • Netgate

    Don't get wrapped around the axle about blocking the webgui. Block everything to destination This firewall after passing what they need to have access to like DNS.