pfSense Block webUI from vlan 50 trouble

[Thermite]

I have my pfsense box configure for a guest vlan on ID 50. This works fine. I get a dhcp lease on 10.0.1.1/24 and not 10.0.0.1/20 which is normal LAN. My problem is that i'm trying to block access to the webUI from my guest network (10.0.1.1/24).

I have setup the following rules:

The blue squiggle is the rule that locks me out of the internet. Also the destination is an alias for (10.0.0.1 and 10.0.1.1).

 

Again the problem is that the top rule locks me out of the internet completely no google.com.

[jde3]

What is the alias pfsensewebuiacess translate to? It's matching on all traffic so you need to redefine it.

[Thermite]

1 minute ago, jde3 said:

What is the alias pfsensewebuiacess translate to? It's matching on all traffic so you need to redefine it.

it is 10.0.0.1 and 10.0.1.1

[Thermite]

2 minutes ago, jde3 said:

What is the alias pfsensewebuiacess translate to? It's matching on all traffic so you need to redefine it.

how would you redifine this rule to only block the webui on 10.0.1.1 port 443

[jde3]

Does pfsense have a self alias?

 

9 minutes ago, Thermite said:

how would you redifine this rule to only block the webui on 10.0.1.1 port 443

You could just change pfsensewebuiacess to the IP. But you should probably use an alias for $if_ip.

[Thermite]

1 minute ago, jde3 said:

Does pfsense have a self alias?

 

You could just change pfsensewebuiacess to the IP. But you should probably use an alias for ifip.

I don't understand. If your saying I should change the destination to 10.0.1.1 and port 443 i've tried this and it doesn't work correctly. It still blocks access to the internet.

[jde3]

Do you have a pass rule?

[jde3]

Eh you do, ya not sure.

[Thermite]

Just now, jde3 said:

Do you have a pass rule?

All the rules I have are in the picture for the guest network. At the bottom of the list I have a allow all to all rule so pass all essentially.

[jde3]

You can look at what pf is doing by using the pflog interface from the console.

 

Something like tcpdump -n -e -ttt -i pflog0

then you can grep and do what you need to do there to filter it.

 

You can also look at the pf rules themselves and when they hit with something like pfctl -vvsr

 

So pf will give you the rule number and then you can look up the line to figure out what is wrong with your rule. The trouble with pfsense is translating these to what the gui writes, you'll also need to set logging on all rules.

[Thermite]

23 minutes ago, jde3 said:

You can look at what pf is doing by using the pflog interface from the console.

 

Something like tcpdump -n -e -ttt -i pflog0

then you can grep and do what you need to do there to filter it.

 

You can also look at the pf rules themselves and when they hit with something like pfctl -vvsr

 

So pf will give you the rule number and then you can look up the line to figure out what is wrong with your rule. The trouble with pfsense is translating these to what the gui writes, you'll also need to set logging on all rules.

Thanks i'm going to try a few things and get back to you. Thanks for your help!

[jde3]

There are two ways you can go about writing the rules.. since pfsense is match first. You can allow all and deny specific, or deny all allow specific.

 

Sure thing, I know PF.. but pfsense eh.. little less so.