[pfSense] IPSEC tunnel - Rules for IPSEC or LAN - Public IP/net to LAN host
Hi, I have successfully created an IPSEC tunnel with a Cisco ASA 5520 and my pfSense 2.0.3 appliance. My side is a PRIVATE LAN network, their side is a PUBLIC network /27. I am able to connect successfully to one of their public IP's and specific port through the tunnel. However they are having trouble connecting to one of my internal hosts through the tunnel from their side. Since theirs is a public IP coming through the tunnel I am confused on where to put the rule to allow traffic from their public network to pass to a host on my internal LAN from the IPSEC tunnel. I have read the section in my pfSense Definitive Guide 13.3 IPSec and firewall rules.. but I guess I need some clarity. Any hints/education would be appreciated. -- Mark Street, D.C., RHCE Chief Technology Officer Alliance Medical Center (707) 433-5494 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense box not visible from LAN, only from WAN
On 2013–05–08 b...@todoo.biz wrote: > I am not sure what you are precisely trying to do… But if your > idea is to have a neutral wireless AP, you will want to: > > 1. bridge the WAN and WLAN together. > > 2. deactivate all firewalling on your box (advanced network or > firewall settings). > > 3. In case you want to filter, you might want to change the > settings in advanced so that you filter on the bridge rather than > on each interface (in the sysctl pane). > > > If you have console access to the FW, use the "pfctl -d" command > line to deactivate the FW - It'll ease your job ! Sorry, I was too quick. It only “somehow” works. Here's the current situation: I changed the WLAN (LAN) interface from no IP address to DHCP and I could see the pfSense box from the WLAN. Then I changed the cabling from the test setup to the original one. In particular, I unplugged the pfSense box from the WAN for a few seconds to remove a switch. After this change, I couldn't access the pfSense box any more. I plugged the switch again and got a new DHCP lease for the WLAN (LAN) interface. It showed 0.0.0.0 as IP. I don't know why, but it worked anyway. I can access the pfSense box from the WLAN *until I remove the cable again*, which I definitely need to do to remove the switch. Then I decided to use a static IP instead of DHCP, which worked, it survived the removal of the switch and I still have access to the pfSense box. I don't know if the randomly selected IP may collide with the IPs distributed by the DHCP server, so this solution might not be optimal. Anyway, all hosts see the IP of the pfSense box and my randomly selected one. All hosts in the WLAN (LAN) can see all other hosts in the WAN, including pfSense box, but they can't see each other. Why can't the hosts in the WLAN see each other? Regards Marco ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense box not visible from LAN, only from WAN
On 2013–05–08 b...@todoo.biz wrote: > I am not sure what you are precisely trying to do… This box is a replacement for an old Debian AP I set up a few years ago which worked flawlessly but died recently. It did not do any filtering, it was just a bridge between wired and wireless network using hostap and bridge-utils to provide wireless internet access for about a dozen users. Since everybody is talking about pfSense I thought I could give it a try for this setup. > But if your idea is to have a neutral wireless AP, you will want to: > > 1. bridge the WAN and WLAN together. That's what I did. The missing IP address (I still don't know why this is necessary, but nevermind) on the WLAN network was the cause of my trouble. It's working now. > 2. deactivate all firewalling on your box (advanced network or > firewall settings). That's what I did. > 3. In case you want to filter, you might want to change the > settings in advanced so that you filter on the bridge rather than > on each interface (in the sysctl pane). When time permits I will definitely look into the features pfSense provides to improve the network quality. I'm especially interested in prioritizing skype traffic. That has been the biggest problem in the past. During the peak hours video calls are not possible. Maybe the traffic shaper could be of help. On the other hand I read that skype is very hard to shape. Thank you too for the response. Regards Marco ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense box not visible from LAN, only from WAN
I am not sure what you are precisely trying to do… But if your idea is to have a neutral wireless AP, you will want to: 1. bridge the WAN and WLAN together. 2. deactivate all firewalling on your box (advanced network or firewall settings). 3. In case you want to filter, you might want to change the settings in advanced so that you filter on the bridge rather than on each interface (in the sysctl pane). If you have console access to the FW, use the "pfctl -d" command line to deactivate the FW - It'll ease your job ! Thanks. Le 8 mai 2013 à 20:41, Marco a écrit : > Hi, > > I'm a new pfSense user and just set up my first box, which is a > wireless access point. The problem is that I can't ping my pfSense > box (or use the web configurator) from the LAN side, but both work > from the WAN. Here are some details about my setup: > > WAN: ethernet, IP assigned via DHCP > LAN: wireless in AP mode, no IP configured, but obtained via DHCP from the WAN > bridge: bridges WLAN and LAN interfaces, no IP configured > > I can connect to the access point and the hosts get an IP address. > If I scan the network from the LAN (wireless connection) I get this > result: > > 10.101.101.1 (gateway) > 10.101.101.32 (the host I'm scanning from, LAN) > 10.101.101.63 (some other host, WAN) > more hosts… > > However, if I scan the network from the WAN I get this result: > > 10.101.101.1 (gateway) > 10.101.101.28 (the pfSense box) > 10.101.101.63 (the host I'm scanning from, WAN) > more hosts… > > I have no firewalls rules, except one per interface, which permits > all traffic. I can provide more information if necessary, just let > me know. > > How can I make the pfsense box visible from the LAN side? Am I doing > something wrong or is this expected? > > Regards > Marco «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ BSD - BSD - BSD - BSD - BSD - BSD - BSD - BSD - «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ PGP ID --> 0x1BA3C2FD ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense box not visible from LAN, only from WAN
On 2013–05–08 Chris Bagnall wrote: > On 8/5/13 7:41 pm, Marco wrote: > >no IP configured > > This would be your problem. This was the problem, indeed. I set the LAN to DHCP and I can see the pfSense box and access the web configurator. > >How can I make the pfsense box visible from the LAN side? Am I doing > >something wrong or is this expected? > > I suspect it's expected behaviour. If you want to use pfSense purely > as an access point, then you're probably best off not using LAN at > all (unless you need filtering). Bridge WAN with your WLAN interface > and LAN becomes effectively redundant. I think I didn't make myself clear, sorry. The LAN *is* the WLAN. I have just two interfaces, one ethernet (WAN) and one WLAN (LAN), and then a bridge across both (OPT1). Thanks for the very quick response. It works now. Regards Marco ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense box not visible from LAN, only from WAN
On 8/5/13 7:41 pm, Marco wrote: no IP configured This would be your problem. How can I make the pfsense box visible from the LAN side? Am I doing something wrong or is this expected? I suspect it's expected behaviour. If you want to use pfSense purely as an access point, then you're probably best off not using LAN at all (unless you need filtering). Bridge WAN with your WLAN interface and LAN becomes effectively redundant. (I seem to recall in the past it wasn't possible to bridge WAN with anything - whether this limitation still exists in 2.x I don't know, but if it does, you might be best off ignoring both WAN and LAN, and create an OPT interface to bridge with your WLAN interface) Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] pfSense box not visible from LAN, only from WAN
Hi, I'm a new pfSense user and just set up my first box, which is a wireless access point. The problem is that I can't ping my pfSense box (or use the web configurator) from the LAN side, but both work from the WAN. Here are some details about my setup: WAN: ethernet, IP assigned via DHCP LAN: wireless in AP mode, no IP configured, but obtained via DHCP from the WAN bridge: bridges WLAN and LAN interfaces, no IP configured I can connect to the access point and the hosts get an IP address. If I scan the network from the LAN (wireless connection) I get this result: 10.101.101.1 (gateway) 10.101.101.32 (the host I'm scanning from, LAN) 10.101.101.63 (some other host, WAN) more hosts… However, if I scan the network from the WAN I get this result: 10.101.101.1 (gateway) 10.101.101.28 (the pfSense box) 10.101.101.63 (the host I'm scanning from, WAN) more hosts… I have no firewalls rules, except one per interface, which permits all traffic. I can provide more information if necessary, just let me know. How can I make the pfsense box visible from the LAN side? Am I doing something wrong or is this expected? Regards Marco ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list