RE: [pfSense Support] Allow Traffic Between Interfaces
Hi Chris, Ordered my book. Unfortunately they ship via UPS so who knows where I will end up having to go and get it? I hope the book is as good as the product. Thanks for all your work, pfSense is excellent and so is the support, especially considering the cost!! _ Ron Lemon Information Technology Manager, Maplewood Computing Ltd. | 800.265.3482 | www.maplewood.com This email message, and any files transmitted with it, are confidential and intended solely for the use of the intended recipient(s). Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and attachments. -Original Message- From: Chris Buechler [mailto:cbuech...@gmail.com] Sent: Sunday, September 19, 2010 5:55 PM To: support@pfsense.com Subject: Re: [pfSense Support] Allow Traffic Between Interfaces On Sun, Sep 19, 2010 at 4:23 PM, Ron Lemon r...@maplewood.com wrote: David, Thanks greatly. On my LAN network I had the first rule as allow any protocol from lan to anywhere via my ISP gateway not via default. That was what was killing me, not sure why it was that way. I am now able to pass back and forth with no issues. You did however straighten me out on where and how rules are applied so next rules changes should be easier. Is there anything in pfSense that would allow me to make a group of IP address call GoodGuys or something so that I can just add or remove IPs from the group to allow people in or block them out without having to add/remove rules for their IPs? Firewall Aliases. You should really get a copy of the book. :) http://pfsense.org/book - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Allow Traffic Between Interfaces
David, Thanks greatly. On my LAN network I had the first rule as allow any protocol from lan to anywhere via my ISP gateway not via default. That was what was killing me, not sure why it was that way. I am now able to pass back and forth with no issues. You did however straighten me out on where and how rules are applied so next rules changes should be easier. Is there anything in pfSense that would allow me to make a group of IP address call GoodGuys or something so that I can just add or remove IPs from the group to allow people in or block them out without having to add/remove rules for their IPs? Once again thanks greatly for your assistance. Ron -Original Message- From: David Burgess [mailto:apt@gmail.com] Sent: Sunday, September 19, 2010 12:39 AM To: support@pfsense.com Subject: Re: [pfSense Support] Allow Traffic Between Interfaces On Sat, Sep 18, 2010 at 10:11 PM, Ron Lemon r...@maplewood.com wrote: Hi David, I have switched the rules but I am still unable to ping 10.0.1.100 from any machine in 10.0.0.0 / 24 Just to be sure, I have attached (I hope it makes it through) a screenshot of the rule you should have on your LAN interface. You should have a similar one on OPT1 with the source and destinations reversed. I hope I have this correct now. Looks right to me. If your firewall rule is correct and you're still receiving no ping response then you'll need to check a couple things. 1. Is the receiving host set to respond to pings? i.e., no Windows firewall preventing it? 2. Do both hosts know that pfsense is the gateway and the default route? If 10.0.1.100 receives a ping from 10.0.0.200 and wants to respond, it has to know where to route the response. Because 10.0.0.200 is not on its subnet (and you haven't given it a static route), it will send its response via the default route, so this needs to be the OPT1 interface of pfsense. If you have dhcp service enabled on OPT1 and your OPT1 hosts are getting their address via dhcp, then this is already happening. 3. If you don't want OPT1 to be the default route for the hosts on that subnet, then you must arrange static routes for those hosts, or enable outbound NAT from LAN to OPT1. db
Re: [pfSense Support] Allow Traffic Between Interfaces
On Sun, Sep 19, 2010 at 4:23 PM, Ron Lemon r...@maplewood.com wrote: David, Thanks greatly. On my LAN network I had the first rule as allow any protocol from lan to anywhere via my ISP gateway not via default. That was what was killing me, not sure why it was that way. I am now able to pass back and forth with no issues. You did however straighten me out on where and how rules are applied so next rules changes should be easier. Is there anything in pfSense that would allow me to make a group of IP address call GoodGuys or something so that I can just add or remove IPs from the group to allow people in or block them out without having to add/remove rules for their IPs? Firewall Aliases. You should really get a copy of the book. :) http://pfsense.org/book - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Allow Traffic Between Interfaces
Hello, I have 3 NICs in my pfSense box (LAN, WAN, OPT1). I want computers on the LAN interface (10.0.0.0/24) to be able to see 2 computers on the OPT1 interface (10.0.1.100 and 10.0.1.101, these are also /24) On LAN interface I created PASS on LAN for ANY protocol from 10.0.1.100 / 32 (Single Host) on any port to network 10.0.0.0 / 24 On LAN interface I created PASS on LAN for ANY protocol from 10.0.1.101 / 32 (Single Host) on any port to network 10.0.0.0 / 24 On OPT1 interface I created PASS on OPT1 for ANY protocol from 10.0.0.0 / 24 on any port to address 10.0.1.100 / 32 (Single Host) On OPT1 interface I created PASS on OPT1 for ANY protocol from 10.0.0.0 / 24 on any port to address 10.0.1.101 / 32 (Single Host) I cannot ping 10.0.1.100 or 101 from the 10.0.0.0/24 network. What am I missing? Thanks.
RE: [pfSense Support] Allow Traffic Between Interfaces
Hi Dave, Thanks for the quick reply but I am kind of at a loss. Once I see it work I am certain it will make sense but . Right now on my firewall rules LAN tab I have Action: Pass Interface: LAN Protocol: any (I assume this also include ICMP???) Source: Single Host (10.0.1.100) Destination: Network (10.0.0.0 / 24) Gateway: default To me this means that 10.0.1.100 can talk to any machine in the 10.0.0.0 / 24 network about anything (ping, ftp, www, ldap, etc) On OPT1 tab I have Action: Pass Interface: OPT1 Protocol: any (I assume this also include ICMP???) Source: Network (10.0.0.0 / 24) Destination: Single Host (10.0.1.100) Gateway: default To me this means that any machine in the 10.0.0.0 / 24 network can talk to 10.0.1.100 about anything (ping, ftp, www, ldap, etc) Are my assumptions incorrect? I am just starting to do more than simple NAT with pfSense and am finding it has a wide array of configurations, once you get your head screwed on straight. Thanks. -Original Message- From: David Burgess [mailto:apt@gmail.com] Sent: Saturday, September 18, 2010 12:05 PM To: support@pfsense.com Subject: Re: [pfSense Support] Allow Traffic Between Interfaces On Sat, Sep 18, 2010 at 9:59 AM, Ron Lemon rjle...@gmail.com wrote: On LAN interface I created PASS on LAN for ANY protocol from 10.0.1.100 / 32 (Single Host) on any port to network 10.0.0.0 / 24 On LAN interface I created PASS on LAN for ANY protocol from 10.0.1.101 / 32 (Single Host) on any port to network 10.0.0.0 / 24 Looks like your from addresses need to be to addresses. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Allow Traffic Between Interfaces
On Sat, Sep 18, 2010 at 8:54 PM, Ron Lemon r...@maplewood.com wrote: Action: Pass Interface: LAN Protocol: any (I assume this also include ICMP???) Source: Single Host (10.0.1.100) Destination: Network (10.0.0.0 / 24) Gateway: default To me this means that 10.0.1.100 can talk to any machine in the 10.0.0.0 / 24 network about anything (ping, ftp, www, ldap, etc) Almost. In your original post you said that 10.0.1.100 is on OPT1. pfsense's firewall rules operate on packets entering the chosen interface. The rule above doesn't do anything until you change LAN to OPT1. On OPT1 tab I have Action: Pass Interface: OPT1 Protocol: any (I assume this also include ICMP???) Source: Network (10.0.0.0 / 24) Destination: Single Host (10.0.1.100) Gateway: default To me this means that any machine in the 10.0.0.0 / 24 network can talk to 10.0.1.100 about anything (ping, ftp, www, ldap, etc) As you may have guessed by now, if you change OPT1 in the above rule to LAN I think you will be in business. Note also that in your original post you didn't say whether you wanted 10.0.1.100 to talk to LAN hosts. If not, then your first rule is not wanted. (if a LAN host connects to 10.0.1.100, it will be allowed to respond, as pfsense is stateful.) Hope that helps. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Allow Traffic Between Interfaces
Hi David, I have switched the rules but I am still unable to ping 10.0.1.100 from any machine in 10.0.0.0 / 24 Yes I would like 10.0.1.100 to be able to initiate a conversion with machines in the 10.0.0.0 / 24 range. So if 10.0.1.100 tries to ping a computer 10.0.0.200 10.0.1.100 sends ICMP to pfSense (10.0.1.254 = OPT1) -- This happens because 10.0.0.200 is outside its subnet mask pfSense sees this request enter OPT1 and it says I see a packet from 10.0.1.100 and it is destined for 10.0.0.200. It checks its rules and says I have a rule that says OK let it thru. pfSense then picks up the packet from OPT1 and hands it to LAN (10.0.0.254) which sends it to 10.0.0.200 Since 10.0.1.100 was allowed to send packet to 10.0.0.200 this means 10.0.0.200 is allowed to send answer back to 10.0.1.100 I hope I have this correct now. -Original Message- From: David Burgess [mailto:apt@gmail.com] Sent: Saturday, September 18, 2010 11:25 PM To: support@pfsense.com Subject: Re: [pfSense Support] Allow Traffic Between Interfaces On Sat, Sep 18, 2010 at 8:54 PM, Ron Lemon r...@maplewood.com wrote: Action: Pass Interface: LAN Protocol: any (I assume this also include ICMP???) Source: Single Host (10.0.1.100) Destination: Network (10.0.0.0 / 24) Gateway: default To me this means that 10.0.1.100 can talk to any machine in the 10.0.0.0 / 24 network about anything (ping, ftp, www, ldap, etc) Almost. In your original post you said that 10.0.1.100 is on OPT1. pfsense's firewall rules operate on packets entering the chosen interface. The rule above doesn't do anything until you change LAN to OPT1. On OPT1 tab I have Action: Pass Interface: OPT1 Protocol: any (I assume this also include ICMP???) Source: Network (10.0.0.0 / 24) Destination: Single Host (10.0.1.100) Gateway: default To me this means that any machine in the 10.0.0.0 / 24 network can talk to 10.0.1.100 about anything (ping, ftp, www, ldap, etc) As you may have guessed by now, if you change OPT1 in the above rule to LAN I think you will be in business. Note also that in your original post you didn't say whether you wanted 10.0.1.100 to talk to LAN hosts. If not, then your first rule is not wanted. (if a LAN host connects to 10.0.1.100, it will be allowed to respond, as pfsense is stateful.) Hope that helps. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org