PFsense Will not allow trafic from my wireless router as AP

Hi techies!

I have a problem......(who dosen't)

I have recently just built my pfsens box, and its working all fine and dandy. I think I will lay out my configuration so it will be a bit easier to understand my problem.

Configuration:

WAN Normal
LAN : Configuered as a normal lan network 192.168.1.1/24
OPT1: Lab network 172.29.229.1/24

I want to seperate my lan network and lab network and as far as I can tell Its working just fine, but I did not think over the fact that I now dont have any wireless.... Just a problem for my GF but still nice to watch netflix in the bed and what not. So When I try to configure my wirless router into AP, it seems to be working as intended. It get's its ip from the Pfsense and so does any device that connects to it. But it can not get out. So I went ahead and created a rule that only allowed for TCP/UDP traffic from a spesific host. So my question is... Is there a bether way of doing this ? is there an entirely other way that is "best" practice ? I am ferly new to pfsense and are therefor always on the lookout for new information and learning things! And I am also not really experienced with networks

Where is your AP connected?

If it's on a separate interface to your LAN you'll need to create firewall rules to allow it to access stuff. Easiest thing to do is create a rule that says allow any to any on the WiFi interface, that will let it access anything. If you want to restrict access to your LAN or other networks then just create rules on top of the allow any rule that blocks access to those networks (you should use reject rather than block in Internet networks, but either will work)

On my network I've created an alias of all my local networks, then if I want a firewall rule that allows access to the internet I create a rule that allows access to not local, so you check the not box and it inverts the rule them I use the alias of my local networks. That way it allows access to anything which is not a local network, ie the internet. But simply adding block rules above an allow all rule will work too.

Just keep in mind that the firewall rules are read top to bottom and they take effect on first match, and be super careful not to lock yourself out.

The AP is on the OPT1 network. Since that is how I se its most logical to place it just in the form of physical placement of the AP. And I kinda also use the AP as a dumb switch to "weld" a connection to my lab network, Physical berries and what not. I am curently renting an aparment so I can therfor not do what I want to do. That beeing doing the cabling properly. So jeah there is that :P Hope I answered your reply in a understandebole way :P

Yeah makes sense, but it makes it tricky to isolate you lab network from your WiFi network, it would make more sense to have the AP on the lan network but I understand why you've configured it this way.

Either way you'll need to create firewall rules on the opt1 interface to allow access to the internet. You won't be able to isolate the WiFi from the other devices on your lab network but if you have static IPs for your WiFi devices you can atleast create a different set of rules for WiFi and lab devices. I'd use an alias for each to make it easier but you can just do it by making a rule for each ip too.

At any rate start with an allow any to any (any protocol, any source and any destination) then add your block rules on top of that. Block any to lan network for example will prevent stuff on the opt1 interface from accessing stuff on the lan. If you want to stop them from accessing pfsense itself you'll also need to block any to opt1 address (I think that's what it's called basically it's the interface address for opt1) but be careful as this will stop dhcp from working too, so you're better off just blocking tcp ports 80, 443 and 22.u

Like this?

The first one is just letting me connect to the ESXI server on my lab network. And also for it to communicate to me so I can load ISO images to it

The first one is wrong, the source has to be something on that network and the destination has to be on another network, that rule would make more sense on the lan network.

The others will allow those individual hosts to access anything unless it's not tcp or UDP, it may be easier to just have an allow any to any rule then add block rules on top if you want to block anything.

Tought I had it configured the other way arround???? I can only to TCP and UDP traffic? Because noting else seems to be working? And how are my first rule wrong? It is working ? I can connect to my ESXI without any problems? ยจ

As I sad in the original post, I am kinda new to networking :P

It's working because on your LAN interface there will be a default allow any to any rule which is allowing you to access your esxi server on the lab network.

Firewall rules are only processed in one direction; for traffic entering an interface. That means that the source is always something on that interface's network (in this case it has to be something on the lab network) and the destination has to be something on a different network, or the interface address itself.

So that first rule won't do anything because the source address is on the lan network and not the lab network. To fix it you can just reverse the source and destination,but only if you want the esxi server to be able to access the lan host, it probably doesn't need to.

Right now your rules are set so that those four hosts can access anything, no other hosts on the lab network will have any access. It would make more sense to just allow anything to anything and then add block rules on top if you want to restrict access to the lan. If you don't want to restrict access then just an allow any to any rule is all you need