Author: Erno Language: text
Description: pfSense and FreeNAS Timestamp: 2014-09-09 20:12:02 +0000
View raw paste Parent paste by: Erno Reply
  1. Hi guys,
  2.  
  3. I am mostly a Linux user on the desktop/laptop platform, but I listen to your show every week, and I am always attracted by the BSDs. Recently I have installed a pfSense router, which is working great, and I have installed FreeNAS on a second machine to serve as my home file and media server. The FreeNAS installation went well, and I am able to access it via the web gui, but I believe that the FreeNAS box can't connect to the wider internet (as proven by ntpd unable to get a time, and me not being able to ping google.com).
  4.  
  5. On pfSense I enabled the interface (re1, named it MedveLak-FreeNAS), set up firewall rules which are identical to my re0 interface to which I attached a wireless router which works perfectly fine (i.e. I have outside network connection), and also enabled dhcp on re1. Do you have any idea why the FreeNAS box cannot connect to the internet?
  6.  
  7. Thank you for making the show weekly and good luck in your second year of the show.
  8.  
  9. pfctl -sr:
  10.  
  11. scrub on fxp0 all fragment reassemble
  12. scrub on re0 all fragment reassemble
  13. scrub on re1 all fragment reassemble
  14. scrub on re0_vlan10 all fragment reassemble
  15. anchor "relayd/*" all
  16. anchor "openvpn/*" all
  17. anchor "ipsec/*" all
  18. block drop in log inet all label "Default deny rule IPv4"
  19. block drop out log inet all label "Default deny rule IPv4"
  20. block drop in log inet6 all label "Default deny rule IPv6"
  21. block drop out log inet6 all label "Default deny rule IPv6"
  22. pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
  23. pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
  24. pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
  25. pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
  26. pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
  27. pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
  28. pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
  29. pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
  30. pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
  31. pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
  32. pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
  33. pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
  34. pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
  35. pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
  36. pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
  37. pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
  38. pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
  39. pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
  40. pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
  41. block drop quick inet proto tcp from any port = 0 to any
  42. block drop quick inet proto tcp from any to any port = 0
  43. block drop quick inet proto udp from any port = 0 to any
  44. block drop quick inet proto udp from any to any port = 0
  45. block drop quick inet6 proto tcp from any port = 0 to any
  46. block drop quick inet6 proto tcp from any to any port = 0
  47. block drop quick inet6 proto udp from any port = 0 to any
  48. block drop quick inet6 proto udp from any to any port = 0
  49. block drop quick from <snort2c> to any label "Block snort2c hosts"
  50. block drop quick from any to <snort2c> label "Block snort2c hosts"
  51. block drop in log quick proto tcp from <sshlockout> to (self) port = ssh label "sshlockout"
  52. block drop in log quick proto tcp from <webConfiguratorlockout> to (self) port = https label "webConfiguratorlockout"
  53. block drop in quick from <virusprot> to any label "virusprot overload table"
  54. block drop in log quick on fxp0 from <bogons> to any label "block bogon IPv4 networks from WAN"
  55. block drop in log quick on fxp0 from <bogonsv6> to any label "block bogon IPv6 networks from WAN"
  56. block drop in on ! fxp0 inet from 73.40.124.0/23 to any
  57. block drop in inet from 73.40.124.151 to any
  58. block drop in on fxp0 inet6 from fe80::216:76ff:fe94:4479 to any
  59. block drop in log quick on fxp0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
  60. block drop in log quick on fxp0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
  61. block drop in log quick on fxp0 inet from 100.64.0.0/10 to any label "Block private networks from WAN block 100.64/10"
  62. block drop in log quick on fxp0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
  63. block drop in log quick on fxp0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
  64. block drop in log quick on fxp0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"

This paste is large and only partially shown.
View full paste

View raw paste Parent paste by: Erno Reply