pfSense Gold Subscription

Author Topic: WAN, LAN + OPT1 - CORRECT WAY OF SETUP  (Read 263 times)

0 Members and 1 Guest are viewing this topic.

Online tchadrack

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
WAN, LAN + OPT1 - CORRECT WAY OF SETUP
« on: November 01, 2017, 11:55:45 am »
I installed pfsense in a pc with 3 network interfaces, in the following scenario:

Lan is the private network, and its users may access the wan using squid. (this is already working)
(Wan is the interface connected to internet)

finally:

The OPT1 interface is connected to a wireless router, i am using it as an Acess point.

I want the clients of this access point may connect to internet through a captive portal, but restricting them from the lan network.


Lan and wan is working well, but i tried to make opt1 but was not able to make it work well


Please, does somebody know what is the correct way of doing this?


Offline hbauer

  • Jr. Member
  • **
  • Posts: 32
  • Karma: +1/-0
    • View Profile
Re: WAN, LAN + OPT1 - CORRECT WAY OF SETUP
« Reply #1 on: November 01, 2017, 11:59:00 am »
Is dhcp running on opt1 and is your access point getting an ip address?

Online tchadrack

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: WAN, LAN + OPT1 - CORRECT WAY OF SETUP
« Reply #2 on: November 01, 2017, 12:45:09 pm »
Is dhcp running on opt1 and is your access point getting an ip address?

dhcp server is enabled on opt1 interface, but is disabled in the access point.

opt1 interface with the ip 192.168.27.254/24 with dhcp enabled

the Access point is at 192.168.27.1/24, static, ( dhcp disabled). Gateway 192.168.27.254

This access point is a tplink router with openwrt  with this configuration:
Uptime: 4h 44m 44s
MAC-Address: F4:EC:38:xx:xx:xx
IPv4: 192.168.27.1/24
IPv6: fdd7:a463:e48a::1/60


The network cable is connected to the opt1 interface and to 1 of the lan ports (of the access point).

The wifi clients are getting ips from the opt1 dhcp server.


Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14292
  • Karma: +1330/-193
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: WAN, LAN + OPT1 - CORRECT WAY OF SETUP
« Reply #3 on: November 01, 2017, 12:48:50 pm »
"The wifi clients are getting ips from the opt1 dhcp server."

So your working - so what firewall rules did you put on the opt1 network.. When you create new interface there is no default rules like lan when you setup pfsense.  You have to create the rules to allow the traffic you want to allow.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.2-RELEASE on VM esxi 6.5 (home)

Online tchadrack

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: WAN, LAN + OPT1 - CORRECT WAY OF SETUP
« Reply #4 on: November 01, 2017, 01:23:58 pm »
"The wifi clients are getting ips from the opt1 dhcp server."

So your working - so what firewall rules did you put on the opt1 network.. When you create new interface there is no default rules like lan when you setup pfsense.  You have to create the rules to allow the traffic you want to allow.

This is a copy paste from Firewall/Rules/OPT1 :


States   Protocol   Source   Port   Destination   Port   Gateway   Queue   Schedule   Description   Actions

IPv4 *   OPT1 net   *   WAN net   *   *   none             

IPv4 *   *   *   WAN net   *   *   none       

      

But not working, do you know if this is correct?


Offline hbauer

  • Jr. Member
  • **
  • Posts: 32
  • Karma: +1/-0
    • View Profile
Re: WAN, LAN + OPT1 - CORRECT WAY OF SETUP
« Reply #5 on: November 01, 2017, 01:35:49 pm »
I cant test it in this moment but I believe your opt1 devices are not allowed to access the opt1 gateway in the first place

may be add a

IPv4 *   OPT1 net   *   opt1 addres   *   *   none

first.

Just a guess without any experience             

Online tchadrack

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: WAN, LAN + OPT1 - CORRECT WAY OF SETUP
« Reply #6 on: November 01, 2017, 01:51:46 pm »
I cant test it in this moment but I believe your opt1 devices are not allowed to access the opt1 gateway in the first place

may be add a

IPv4 *   OPT1 net   *   opt1 addres   *   *   none

first.

Just a guess without any experience             

I did add this rule but still not working.

I am testing from my iphone, the address is correct:

192.168.27.108/24, 
router: 192.168.27.254 (pfsense - opt1)
dns: 192.168.27.254


I can access 192.168.27.1 (openwrt - Access point) from my pc on LAN, and from my iphone.
I can access 192.168.27.254 ( pfsense - from the iphone)
But no way to access the wan from opt1 (iphone)


Edit: Maybe its some misconfiguration on the openwrt?


« Last Edit: November 01, 2017, 02:23:36 pm by tchadrack »

Online tchadrack

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: WAN, LAN + OPT1 - CORRECT WAY OF SETUP
« Reply #7 on: November 01, 2017, 02:37:58 pm »
I've made some progress:

First, I created a static route in openwrt, disabled firewall, and pointed the dns to google.

Second, I activated the Captive Portal on pfsense in opt1

Now when I type www.google.com in Iphone (opt1) i see the captive portal login.

But When I entered the credentials, i am still unable to access the wan.

www.google.com  doesnt show up, with the error:

server stopped responding

I am able to contact the internet gateway, that is connected to the wan interface of pfsense. This was not possible before creating that static route.



Edit - After this, I added squid  to the opt1 interface, and defined 192.168.27.0/24 in allowed networks.
Then, the google page showed up.

But I still have a doubt:

Should not internet work without squid in opt1 interface?
« Last Edit: November 01, 2017, 02:50:31 pm by tchadrack »

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14292
  • Karma: +1330/-193
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: WAN, LAN + OPT1 - CORRECT WAY OF SETUP
« Reply #8 on: November 01, 2017, 03:06:33 pm »
"Should not internet work without squid in opt1 interface? "

You do not need squid for internet to work..   I have multiple interfaces and do not have squid even installed.

"First, I created a static route in openwrt,"

What?? 

"IPv4 *   OPT1 net   *   WAN net   *   *   none             "

No that is NOT correct.. wan net is just that!  The wan net.. That would explain why it works via proxy..   Wan net is not the internet... Its just the network your wan is on..   Create an ANY ANY rule on opt1, just like your lan.. but use opt1 net as source network.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.2-RELEASE on VM esxi 6.5 (home)

Online tchadrack

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: WAN, LAN + OPT1 - CORRECT WAY OF SETUP
« Reply #9 on: November 01, 2017, 07:20:50 pm »
"Should not internet work without squid in opt1 interface? "

You do not need squid for internet to work..   I have multiple interfaces and do not have squid even installed.

"First, I created a static route in openwrt,"

What?? 

"IPv4 *   OPT1 net   *   WAN net   *   *   none             "

No that is NOT correct.. wan net is just that!  The wan net.. That would explain why it works via proxy..   Wan net is not the internet... Its just the network your wan is on..   Create an ANY ANY rule on opt1, just like your lan.. but use opt1 net as source network.

I know that Wan (Wide Area Network) net in pfsense is not the internet itself, but just a reference to the network interface card that should be connected to the internet or another wide area network.

When i said i created a static route i was not talking about pfsense, but the Openwrt device that i am using as an Access Point.

I looked at the route table of that device and saw that the gateway 192.168.1.254 was not being referenced in that table even when i had configured as the gateway in the lan configuration (of the openwrt device).

That was the motive a created a new route mannually in the route table to that gateway.

After that  I created that rule, saved, and tested:  internet was not working but it was already possible to 'see' the hosts on the wan side. (i use another router on the wan side)

After that I enabled squid in opt1 and it worked,

I already know that the squid is not necessary for the internet to work, and that is no sense for me too, but it was what happened.

Furthermore, I do not want the wifi clients in opt1 net could see the hosts inside the  "lan" network, but this was happening.

So  to prevent it I created a new firewall rule in pfsense blocking all ipv4 and ipv6 from opt1 to lan, tested and i was working as i want.

I still need to make more tests, but it seems it is working the way I want.

My only concern now is how secure is pfsense?


 





Online tchadrack

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: WAN, LAN + OPT1 - CORRECT WAY OF SETUP
« Reply #10 on: November 03, 2017, 12:33:50 pm »
New Problem detected.  As I said, internet in OPT1 interface works only when squid (proxy) is enabled.

If I disable proxy in opt1, internet is disabled completely in opt1

my pfsense rules in opt1:

Protocol   Source   Port   Destination   Port   Gateway   Queue   Schedule   Description   Actions

IPv6 *   OPT1 net   *   LAN net   *   *   none             

IPv4 *   OPT1 net   *   LAN net   *   *   none             

IPv4 *   OPT1 net   *   OPT1 address   *   *   none             

IPv4 *   OPT1 net   *   WAN net   *   *   none             

IPv4 *   *            *   WAN net   *   *   none   



Because of this, (I think) some applications as whatsapp are not working in opt1.

I should I do in pfsense so that intrernet (wan) may work in opt1 without needing to enable squid?


Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14292
  • Karma: +1330/-193
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: WAN, LAN + OPT1 - CORRECT WAY OF SETUP
« Reply #11 on: November 03, 2017, 03:03:41 pm »
So lets repeat, since clearly your not grasping this

Quote
"IPv4 *   OPT1 net   *   WAN net   *   *   none             "

No that is NOT correct.. wan net is just that!  The wan net.. That would explain why it works via proxy..   Wan net is not the internet... Its just the network your wan is on..   Create an ANY ANY rule on opt1, just like your lan.. but use opt1 net as source network.

Lets say your wan is 1.2.3.4/24... Wan net is means you could only talk to devices with IP 1.2.3.1-254...  That is the WAN net, this is NOT the interent...  The internet is ANY!!!  Since pretty much the internet could be ANY public IP address..

You have no rule listed that would allow you to say googledns 8.8.8.8 or say forums.pfsense.org forum.pfsense.org [208.123.73.18]

Your internet is only working via proxy because pfsense itself can get to the internet, and with proxy your just asking pfsense - hey go to this place for me..  If you want to get there direct than you have to allow that on the firewall.

How hard its it put up a screenshot?  From those can not tell if those are blocked or allowed..

You can see here I allow ping to wlan guest address, ipv4 and ipv6
I allow access to my ntp servers that are on different vlans ipv4 and ipv6
I allow the guest to go to public DNS, I hand out google in the dhcp server for this guest wifi network.  Via rule that is allow for anything NOT rfc1918(see alias created)
I then block (reject actually with logging) any other access to any other firewall IP, be it lan, wan, or any other vlan IP.
I then allow guests to go anywhere else as long as not rfc1918, or my local IPv6 networks.

Where in you rules top down, first rule to trigger wins - no other rules allowed would your clients be able to go to any IP on the internet..  This is why the rules out of the box on pfsense are ANY ANY on the lan...
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.2-RELEASE on VM esxi 6.5 (home)