Configuring the optional interface - traffic blocked by?

bittwiddler
Full Member

Posts: 39

Configuring the optional interface - traffic blocked by? Dec 24, 2016 2:41:21 GMT

Quote

Post by bittwiddler on Dec 24, 2016 2:41:21 GMT

I have a very simple configuration. One DSL modem to the WAN port on a Soekris 4801-70 running SmallWall. One wireless AP on each of the other two interfaces. One for guests and one for my office.

DSL->SmallWall(WAN/sis1)->(LAN/sis0)->Wifi AP
DSL->SmallWall(WAN/sis1)->(OPT1/sis2)->Wifi AP

The LAN subnet works like a charm. The APs are configured identically except for the subnet settings. However, I am unable to ping the sis2 interface when connected to the AP. The firewall logs show the traffic being blocked but not the blocking rule. I am tearing my hair out trying to support guests this weekend with OPT1. I tried disabling all the blocking rules for OPT1 but I must be missing something.

LAN: 192.168.1.0/24
OPT1: 192.168.2.0/24

Firewall rules

LAN: PASS * LAN net * * * Default LAN -> any
OPT1: BLOCK TCP * * LAN net * Block DMZ traffic to LAN
OPT1: PASS TCP DMZ net * ! LAN net * Permit DMZ to any but LAN

When I connect to the AP on OPT1 I can ping myself (DHCP issued address) but not the OPT1 interface (gateway 192.168.2.100). Something is blocking ICMP and standard TCP handshakes.

Firewall log:

Act Time If Source Destination Proto
X 19:39:05.028871 DMZ 192.168.2.20 192.168.2.100, type echo/0 ICMP

Last Edit: Dec 24, 2016 18:54:49 GMT by bittwiddler

--
bT

Software developer, IoT security architect, maker of smoke

bittwiddler
Full Member

Posts: 39

Configuring the optional interface - traffic blocked by? Dec 24, 2016 3:21:00 GMT Lee Sharp likes this

Quote

Post by bittwiddler on Dec 24, 2016 3:21:00 GMT

OK, way too much coffee and Christmas goodies here. I neglected adding a rule to pass everything else after all of my restriction rules. It's not like I don't maintain iptables rules for an entire org. Whew!

Guests will be thrilled and I can go to bed ;-)

--
bT

Software developer, IoT security architect, maker of smoke

Lee Sharp Administrator Posts: 522	Configuring the optional interface - traffic blocked by? Dec 24, 2016 3:23:13 GMT Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by Lee Sharp on Dec 24, 2016 3:23:13 GMT Your rule is. You are only allowing TCP, not UDP and ICMP. Ping is ICMP.

bittwiddler
Full Member

Posts: 39

Configuring the optional interface - traffic blocked by? Dec 24, 2016 18:53:44 GMT

Quote

Post by bittwiddler on Dec 24, 2016 18:53:44 GMT

Those rules are doing exactly what I want them to do. The little "X" icon for block didn't make the cut-n-paste. I had forgotten to add my default rule to OPT1 which would allow ICMP, UDP, etc. 100% brain fade on my part...

Many thanks for continuing and maturing this application. While the interface may be a little dated the internals are solid and it runs on very lightweight hardware.

Last Edit: Dec 24, 2016 19:34:12 GMT by bittwiddler

--
bT

Software developer, IoT security architect, maker of smoke

Lee Sharp Administrator Posts: 522	Configuring the optional interface - traffic blocked by? Dec 25, 2016 1:00:30 GMT Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by Lee Sharp on Dec 25, 2016 1:00:30 GMT I do need to look at making it more pretty. But that takes work...

Configuring the optional interface - traffic blocked by?

Post by bittwiddler on Dec 24, 2016 2:41:21 GMT

Post by bittwiddler on Dec 24, 2016 3:21:00 GMT

Post by Lee Sharp on Dec 24, 2016 3:23:13 GMT

Post by bittwiddler on Dec 24, 2016 18:53:44 GMT

Post by Lee Sharp on Dec 25, 2016 1:00:30 GMT

Quick Reply