Firewalling certain traffic

alanbwilliams

So, I'm using pfSense for the sole purpose of its Captive Portal functionality.  I have a LAN firewall rule which is the default LAN to Any rule.  If I alter that in any way, my connectivity to the WAN -> www stops.

I have tried to use limit it to TCP only and port 80 to WAN network port 80 and nothing.  I have attempted various combinations of this, but nothing seems to work until I set it back to defaults.  YEs, I'm allpying the rule after I make changes just in case you were wondering.

My goal is to limit it to port 80 and 443 traffic only, which seems simple, but it's kicking my @$$!

Thanks in advance.

johnpoz

You do understand that you would have to allow more than 80 and 443 right.  Where are you doing dns to? So you even know what IP to talk to on 80 or 443?

The default any any allows you to talk to pfsense for dns.  So if you wanted a min rule set to only allow 80 and 443, you would need rule to also allow dns (udp/tcp 53) to atleast your pfsense lan interface. (if your using pfsense for dns)

alanbwilliams

So, I did forget about DNS.  I added its own rule:
Proto                  Source    Port    Destination    Port    Gateway

IPv4 TCP/UPD          *          53            *            53          *
IPv4 TCP                *          80            *            80          *
IPv4 TCP                *          443          *            443        *

Still no joy…  I'm not an expert at this stuff, as you can probably tell!

I'm using DNS forwarding, or at least it enabled... :)

johnpoz

You mention your using the captive portal.  You have to be to auth to the captive portal before you can go anywhere.

I would turn off the captive portal and validate your normal rules are working, then re-enabled captive portal and trouble shoot if not working

https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting

alanbwilliams

Our Captive portal Auth is a simple click through page, accepting a EULA and that's it.

I have been testing with my Captive Portal cookie session active.  The minute I enable the default rule, I can hit google.  When I turn it off, I cant hit anything but the internal admin page.

Derelict

Post a screenshot of your LAN rules.

alanbwilliams

Attached a copy of LAN rules.

If I turn off the Default LAN rule at the bottom and reload my rules, I cannot get to the internet.

muswellhillbilly

Remove the source ports - just make it, for instance, Any (*) -> 80. Same for DNS and port 443.

So your rules would be as follows:

Proto                  Source    Port    Destination    Port    Gateway

IPv4 TCP/UPD        *          *              *              53          *
IPv4 TCP                *          *              *              80          *
IPv4 TCP                *          *              *              443        *

Derelict

That's why we ask you to post what you've done not a description of what you think you've done.

alanbwilliams

Thanks you!  That suggestion seemed to have worked.

Can you tell me why mapping the port to port as I had it didn't work?  Is pfSense doing something I don't know about?

Thanks again!

Derelict

To set a source port in a rule you FIRST had to click advanced THEN you had to ignore this:

Specify the source port or port range for this rule. This is usually random and almost never equal to the destination port range (and should usually be any).

If you don't know how TCP/IP works, then, yes, pfSense is doing something you don't know about.

alanbwilliams

Ah yes, I did ignore that part, not intentionally though… ;)

Thanks for the tutelage!

Cheers!