OPNsense Forum
Archive => 16.1 Legacy Series => Topic started by: Aronne on February 10, 2016, 04:53:44 pm
-
Hi! I need your help :-\
I need to allow traffic between my wifi and my lan.
I have two nic:
Lan: 192.168.2.x (PC 192.168.2.110)
Wi-Fi: 192.168.3.x ( SMARTPHONE 192.168.3.210)
I want to allow only my smartphone (trough MAC Adress) to acces my PC shared disks.
I've tried NAT, BRIDGE and a lot of firewall rules,but nothing works.
On Endian it worked with just two rules in inter-zone firewall section.
Thanks guys! ;D
-
Hi,
You can't filter on mac addresses using the firewall rules, an option could be to use your dhcp server to force a fixed ip address to your smartphone and add rules for that IP.
Another option is to enable a captive portal on your wifi zone and enforce authentication for all users except a list of mac addresses. (The captive portal can keep track of the corresponding ip addresses)
Regards,
Ad
-
Thanks! But the firewall on default block my traffic between interfaces.
I can't ping o see my PC from my Smartphone.
You have a solution?
Thanks a lot!
-
Default policy is drop, you have to add rules to allow traffic.
Also make sure your interface doesn't have "Block private networks" enabled for internal networks.
-
This is my OPNSense configuration!
What's wrong?
(http://s17.postimg.org/93vnamxqn/image.jpg) (http://postimage.org/)
hosting immagini (http://postimage.org/index.php?lang=italian)
(http://s24.postimg.org/n52b82rc5/image.jpg) (http://postimage.org/)
host image (http://postimage.org/index.php?lang=italian)
(http://s22.postimg.org/6v2zv3mup/firewallrules1.jpg) (http://postimage.org/)
hostare immagini (http://postimage.org/index.php?lang=italian)
(http://s12.postimg.org/7qzklfy8t/firewallrules2.jpg) (http://postimage.org/)
upload immagini (http://postimage.org/index.php?lang=italian)
-
What gateway is your phone using?
-
The Gateway of my phone is:
192.168.3.1
-
That looks good, and the gateway of your pc?
Maybe you can inspect the traffic going to your pc from your lan interface on the firewall, you can use diag_packet_capture.php to inspect what's going on.
-
The GW for my PC is:
192.168.2.1
-
I would suggest using packet capture to trace your traffic, ping in both directions and capture both interfaces step by step.
-
Packet capture on WIFI
14:51:20.008479 IP 192.168.3.210.35372 > 192.168.2.110.445: tcp 0
-
Packet capture on WIFI
14:51:20.008479 IP 192.168.3.210.35372 > 192.168.2.110.445: tcp 0
For your rules I would remove the last 2 entries on WIFI net for LAN net and leave just the WIFI net to any dest enabled and try to get to both your LAN and WAN. If that works add a block from src WIFI net to LAN net. This should still allow WAN and remove access to LAN.
Then, after that block rule you can make an exception for your WIFI device you want access to LAN device by both assigning static DHCP lease and then creating a rule to allow that src IP on WIFI net to your pc IP on LAN net only.
Again, do this between the block rule to LAN net and the "default" allow rule from WIFI net to anywhere.