Allow traffic between zones.

Started by Aronne, February 10, 2016, 04:53:44 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 10, 2016, 04:53:44 PM Last Edit: February 10, 2016, 05:04:31 PM by Aronne
Hi! I need your help  :-\
I need to allow traffic between my wifi and my lan.
I have two nic:
Lan: 192.168.2.x (PC 192.168.2.110)
Wi-Fi: 192.168.3.x ( SMARTPHONE 192.168.3.210)
I want to allow only my smartphone (trough MAC  Adress) to acces my PC shared disks.
I've tried NAT, BRIDGE and a lot of firewall rules,but nothing works.
On Endian it worked with just two rules in inter-zone firewall section.
Thanks guys!  ;D
February 10, 2016, 08:27:05 PM #1
Hi,

You can't filter on mac addresses using the firewall rules, an option could be to use your dhcp server to force a fixed ip address to your smartphone and add rules for that IP.
Another option is to enable a captive portal on your wifi zone and enforce authentication for all users except a list of mac addresses. (The captive portal can keep track of the corresponding ip addresses) 

Regards,

Ad
February 11, 2016, 12:39:55 PM #2
Thanks! But the firewall on default block my traffic between interfaces.
I can't ping o see my PC from my Smartphone.
You have a solution?
Thanks a lot!
February 11, 2016, 12:51:03 PM #3
Default policy is drop, you have to add rules to allow traffic.
Also make sure your interface doesn't have "Block private networks" enabled for internal networks.
February 11, 2016, 01:17:39 PM #4
This is my OPNSense configuration!
What's wrong?


hosting immagini


host image


hostare immagini


upload immagini
February 11, 2016, 01:20:57 PM #5
What gateway is your phone using?
February 11, 2016, 02:29:34 PM #6
The Gateway of my phone is:
192.168.3.1
February 11, 2016, 02:33:33 PM #7
That looks good, and the gateway of your pc?
Maybe you can inspect the traffic going to your pc from your lan interface on the firewall, you can use diag_packet_capture.php to inspect what's going on.
February 11, 2016, 02:41:04 PM #8
The GW for my PC is:
192.168.2.1

February 11, 2016, 02:44:48 PM #9
I would suggest using packet capture to trace your traffic, ping in both directions and capture both interfaces step by step.
February 11, 2016, 02:51:47 PM #10
Packet capture on WIFI

14:51:20.008479 IP 192.168.3.210.35372 > 192.168.2.110.445: tcp 0
February 19, 2016, 04:58:52 PM #11
Quote from: Aronne on February 11, 2016, 02:51:47 PM
Packet capture on WIFI

14:51:20.008479 IP 192.168.3.210.35372 > 192.168.2.110.445: tcp 0

For your rules I would remove the last 2 entries on WIFI net for LAN net and leave just the WIFI net to any dest enabled and try to get to both your LAN and WAN. If that works add a block from src WIFI net to LAN net. This should still allow WAN and remove access to LAN.

Then, after that block rule you can make an exception for your WIFI device you want access to LAN device by both assigning static DHCP lease and then creating a rule to allow that src IP on WIFI net to your pc IP on LAN net only.

Again, do this between the block rule to LAN net and the "default" allow rule from WIFI net to anywhere.
Print
Go Up Pages1
User actions