Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
16.1 Legacy Series
»
Allow traffic between zones.
« previous
next »
Print
Pages: [
1
]
Author
Topic: Allow traffic between zones. (Read 12433 times)
Aronne
Newbie
Posts: 6
Karma: 0
Allow traffic between zones.
«
on:
February 10, 2016, 04:53:44 pm »
Hi! I need your help
I need to allow traffic between my wifi and my lan.
I have two nic:
Lan: 192.168.2.x (PC 192.168.2.110)
Wi-Fi: 192.168.3.x ( SMARTPHONE 192.168.3.210)
I want to allow only my smartphone (trough MAC Adress) to acces my PC shared disks.
I've tried NAT, BRIDGE and a lot of firewall rules,but nothing works.
On Endian it worked with just two rules in inter-zone firewall section.
Thanks guys!
«
Last Edit: February 10, 2016, 05:04:31 pm by Aronne
»
Logged
AdSchellevis
Administrator
Hero Member
Posts: 907
Karma: 184
Re: Allow traffic between zones.
«
Reply #1 on:
February 10, 2016, 08:27:05 pm »
Hi,
You can't filter on mac addresses using the firewall rules, an option could be to use your dhcp server to force a fixed ip address to your smartphone and add rules for that IP.
Another option is to enable a captive portal on your wifi zone and enforce authentication for all users except a list of mac addresses. (The captive portal can keep track of the corresponding ip addresses)
Regards,
Ad
Logged
Aronne
Newbie
Posts: 6
Karma: 0
Re: Allow traffic between zones.
«
Reply #2 on:
February 11, 2016, 12:39:55 pm »
Thanks! But the firewall on default block my traffic between interfaces.
I can't ping o see my PC from my Smartphone.
You have a solution?
Thanks a lot!
Logged
AdSchellevis
Administrator
Hero Member
Posts: 907
Karma: 184
Re: Allow traffic between zones.
«
Reply #3 on:
February 11, 2016, 12:51:03 pm »
Default policy is drop, you have to add rules to allow traffic.
Also make sure your interface doesn't have "Block private networks" enabled for internal networks.
Logged
Aronne
Newbie
Posts: 6
Karma: 0
Re: Allow traffic between zones.
«
Reply #4 on:
February 11, 2016, 01:17:39 pm »
This is my OPNSense configuration!
What's wrong?
hosting immagini
host image
hostare immagini
upload immagini
Logged
AdSchellevis
Administrator
Hero Member
Posts: 907
Karma: 184
Re: Allow traffic between zones.
«
Reply #5 on:
February 11, 2016, 01:20:57 pm »
What gateway is your phone using?
Logged
Aronne
Newbie
Posts: 6
Karma: 0
Re: Allow traffic between zones.
«
Reply #6 on:
February 11, 2016, 02:29:34 pm »
The Gateway of my phone is:
192.168.3.1
Logged
AdSchellevis
Administrator
Hero Member
Posts: 907
Karma: 184
Re: Allow traffic between zones.
«
Reply #7 on:
February 11, 2016, 02:33:33 pm »
That looks good, and the gateway of your pc?
Maybe you can inspect the traffic going to your pc from your lan interface on the firewall, you can use diag_packet_capture.php to inspect what's going on.
Logged
Aronne
Newbie
Posts: 6
Karma: 0
Re: Allow traffic between zones.
«
Reply #8 on:
February 11, 2016, 02:41:04 pm »
The GW for my PC is:
192.168.2.1
Logged
AdSchellevis
Administrator
Hero Member
Posts: 907
Karma: 184
Re: Allow traffic between zones.
«
Reply #9 on:
February 11, 2016, 02:44:48 pm »
I would suggest using packet capture to trace your traffic, ping in both directions and capture both interfaces step by step.
Logged
Aronne
Newbie
Posts: 6
Karma: 0
Re: Allow traffic between zones.
«
Reply #10 on:
February 11, 2016, 02:51:47 pm »
Packet capture on WIFI
14:51:20.008479 IP 192.168.3.210.35372 > 192.168.2.110.445: tcp 0
Logged
philamonster
Newbie
Posts: 15
Karma: 5
Re: Allow traffic between zones.
«
Reply #11 on:
February 19, 2016, 04:58:52 pm »
Quote from: Aronne on February 11, 2016, 02:51:47 pm
Packet capture on WIFI
14:51:20.008479 IP 192.168.3.210.35372 > 192.168.2.110.445: tcp 0
For your rules I would remove the last 2 entries on WIFI net for LAN net and leave just the WIFI net to any dest enabled and try to get to both your LAN and WAN. If that works add a block from src WIFI net to LAN net. This should still allow WAN and remove access to LAN.
Then, after that block rule you can make an exception for your WIFI device you want access to LAN device by both assigning static DHCP lease and then creating a rule to allow that src IP on WIFI net to your pc IP on LAN net only.
Again, do this between the block rule to LAN net and the "default" allow rule from WIFI net to anywhere.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
16.1 Legacy Series
»
Allow traffic between zones.