Vlan rule with only internet no access to other vlans
-
Managed to get it to work again.
Now there is a new problem. in a vlan i have a server and the nat loopback issnt working when activating ! rfc1918 from home vlan to server vlan
if i remove 192.168.99.0/24 from alias it works again
IPv4 TCP/UDP HOME net * 192.168.99.11 1716 - 1718 * none
Fixes the problem, but it should not be like that?
-
I would suggest you either work in forum with your native language… Or provide something for us to help you.
How about post up your rules - see example I posted.. And some understanding of your network.. What address space is in use, etc..
"if i remove 192.168.99.0/24 from alias it works again"
What alias?? That is not a network that should be in a rfc1918 alias.. How are using whatever alias in your rules?? POST THEM!!!
An alias called rfc1918 would with common sense based on the name contain the rfc1918 address space... Ie 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 -- you putting in 1 specific /24 network doesn't seem to fit the name of the alias.
As to nat loopback?? If your sending traffic back into a rfc1918 address and you BLOCK then well kind of no shit its going to be blocked huh!!
-
now after reboot second vlan is not working again on internet, can my problem be that pfsens runs on vmware esxi6?
HOME vlan han internet but SERVER vlan does not. se picures of rules.
also pfsense box: Unable to check for updates. tried to login to ssh and ping for internet, it anwears but uses about 5 seconds to start.
-
Your default pass rule on SERVERS is TCP-only. Make it protocol any.
Your HOME rules are a perfect example why it is more logical and straightforward to BLOCK to rfc1918 then PASS to any instead of PASS to ! rfc1918. I would move rules 4 and 5 above the PASS ! rfc1918 rule.
-
So home is 192.168.1/24 and servers is 192.168.99/24?
If that is the case? Then rule 4 on home tab is completely pointless.. You do not talk to pfsense to talk to devices on your own network.
If its the other way, then rule 5 in that tab is pointless.. Either way you have to have rules that allow traffic above your ! rfc1918 rule..
Rules are processed top down!! First rule that fires wins and the rest of the rules are not even looked at..
On a side note forwarding traffic from public internet to 3389 (remote desktop) is normally a BAD idea!! Just saying that is not secure setup at all..
-
Your default pass rule on SERVERS is TCP-only. Make it protocol any.
Your HOME rules are a perfect example why it is more logical and straightforward to BLOCK to rfc1918 then PASS to any instead of PASS to ! rfc1918. I would move rules 4 and 5 above the PASS ! rfc1918 rule.
thankyou. i almost tryied to reinstall and mabey even change pfsense out for a fortigate there. :)
Now everything works :)
-
So home is 192.168.1/24 and servers is 192.168.99/24?
If that is the case? Then rule 4 on home tab is completely pointless.. You do not talk to pfsense to talk to devices on your own network.
If its the other way, then rule 5 in that tab is pointless.. Either way you have to have rules that allow traffic above your ! rfc1918 rule..
Rules are processed top down!! First rule that fires wins and the rest of the rules are not even looked at..
On a side note forwarding traffic from public internet to 3389 (remote desktop) is normally a BAD idea!! Just saying that is not secure setup at all..
home is 192.168.5.1/24 and server is 192.168.99.1/24
but its so strange that i need rule 5 to make it work. Since i have nat 1716 and 1717
its not public network but my home network.
-
here is nat
-
home is 192.168.5.1/24 and server is 192.168.99.1/24
but its so strange that i need rule 5 to make it work. Since i have nat 1716 and 1717
its not public network but my home network.
It is not strange at all. Your port forward is on WAN, not on HOME.
In order to pass traffic from HOME to SERVERS you need a rule on HOME that passes such traffic.
-
ok then if 192.168.1/24 is one of your other networks then that rule makes sense.
Too early for me I guess, It looked like your were creating a rule for the local network to the local network. But you are forwarding 3389 in from your wan, which is internet… Is it not?? So your wan is only your own local network?? As long as public internet can not get to 3389 then your sure..
-
home is 192.168.5.1/24 and server is 192.168.99.1/24
but its so strange that i need rule 5 to make it work. Since i have nat 1716 and 1717
its not public network but my home network.
It is not strange at all. Your port forward is on WAN, not on HOME.
In order to pass traffic from HOME to SERVERS you need a rule on HOME that passes such traffic.
I want to pass traffic to internet. my services is awailable on the internet
-
ok then if 192.168.1/24 is one of your other networks then that rule makes sense.
Too early for me I guess, It looked like your were creating a rule for the local network to the local network. But you are forwarding 3389 in from your wan, which is internet… Is it not?? So your wan is only your own local network?? As long as public internet can not get to 3389 then your sure..
there are some webservers with some sites on some vlans.