> On Dec 23, 2017, at 9:10 PM, Matthew Hall <[email protected]> wrote: > > I did run into various bugs involving interfaces != LAN. One common one is > that the other interfaces are missing a default allow rule for reaching > pfSense on 53/udp. This makes all your DNS requests fail and then it can seem > like none of your stuff is working.
Not a bug. That is by design. Create the rules to pass the traffic you need to pass on OPTX interfaces after you create them. > Another problem you can find is, if you use IPsec or another site to site > VPN, these other interfaces don't have a bypass rule preventing self-traffic > to the firewall from being forced through the VPN tunnel. So I'm not sure > what configuration you've got but there are some funny things you can see. I > will say that once I worked around these items I was easily able to move or > block traffic between LAN and the other interfaces with no issues. One trick > that can help with the debugging is to replace the implicit default block > rule with a default reject rule so you can easily see what's misconfigured on > the end nodes and watch the firewall for log messages on your rules with logs > enabled to see why your traffic refuses to flow. Traffic for other interfaces should not match the IPsec traffic selector. Not sure what you did there. If you try to IPsec to destination 0.0.0.0/0 (all traffic), then you have to bypass that traffic selector by policy routing traffic for other destinations to where it needs to go. Again, not a bug. Getting a functional setup with a 0.0.0.0/0 IPsec destination can be tricky due to the way the traffic selectors work. If you policy route all traffic to an OpenVPN tunnel, you have to bypass said policy routing for local traffic. Again, not a bug. > > Matthew Hall > >> On Dec 23, 2017, at 6:53 PM, Walter Parker <[email protected]> wrote: >> >>> On Fri, Dec 22, 2017 at 8:25 PM, Antonio <[email protected]> wrote: >>> >>> Hi, >>> >>> I'm not sure how you move traffic between the above interfaces. I was >>> under the impression that all you needed was a "Default allow LAN to any >>> rule" and job done. Yet i'm struggling to get devices of different >>> interfaces to communicate. What am I missing? >>> >>> That rule allows the LAN to move traffic. Traffic on OPT1 is a different >> network. You will have addition rules to allow it talk to LAN. You will >> need to add two sets of rules (or floating rules) depending on how you wish >> to design your network. >> >> >> Walter >> >> >> >>> >>> Thanks >>> >>> >>> >>> -- >>> >>> >>> Respect your privacy and that of others, don't give your data to big >>> corporations. >>> Use alternatives like Signal (https://whispersystems.org/) for your >>> messaging or >>> Diaspora* (https://joindiaspora.com/) for your social networking. >>> >>> _______________________________________________ >>> pfSense mailing list >>> https://lists.pfsense.org/mailman/listinfo/list >>> Support the project with Gold! https://pfsense.org/gold >>> >> >> >> >> -- >> The greatest dangers to liberty lurk in insidious encroachment by men of >> zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis >> _______________________________________________ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold > > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
