Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Rules for IoT w/local DNS/DHCP & Internet

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 951 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      furom
      last edited by

      Hi,

      My goal with this post is to be able to connect a tablet via wireless to iot.vlan using DHCP.

      To do this, I believe this is what I need to do, correct?

      • Allow IoT devices DHCP on pfSense only
      • Allow IoT devices to resolve DNS on pfSense, but block upstream
      • Block any access from iot.vlan to psSense(this.firewall)
      • Block IoT devices any access to RFC1918 addresses
      • Block any access to everything else, including any other vlan/network
      • Allow IoT devices any access to Internet
        --- if the rules below don't match the above goal or has the wrong order, please suggest for improvements, thanks ---

      Setup:

      • Unifi AP on mgmnt.vlan (serving iot.vlan only)

      This is what I have so far;
      iot.png

      The problem:
      With these, tablet tries to get an IP, but fails to obtain one. Static fails also which I believe points to my rules? DHCP and DNS Resolver is enabled for iot.vlan, plenty of free addresses.

      Would someone please help me find out what is incorrect here? Thank you

      M keyserK 2 Replies Last reply Reply Quote 0
      • M Offline
        MoonKnight @furom
        last edited by

        @furom

        Here is mine:

        870cadd9-c199-4563-b324-402c58d67ec9-image.png

        --- 25.07.1 ---
        Intel(R) Xeon(R) CPU D-1518 @ 2.20GHz
        Kingston DDR4 2666MHz 16GB ECC
        2 x HyperX Fury SSD 120GB (ZFS-mirror)
        2 x Intel i210 (ports)
        4 x Intel i350 (ports)

        1 Reply Last reply Reply Quote 1
        • keyserK Offline
          keyser Rebel Alliance @furom
          last edited by

          @furom said in Rules for IoT w/local DNS/DHCP & Internet:

          Hi,

          My goal with this post is to be able to connect a tablet via wireless to iot.vlan using DHCP.

          To do this, I believe this is what I need to do, correct?

          • Allow IoT devices DHCP on pfSense only
          • Allow IoT devices to resolve DNS on pfSense, but block upstream
          • Block any access from iot.vlan to psSense(this.firewall)
          • Block IoT devices any access to RFC1918 addresses
          • Block any access to everything else, including any other vlan/network
          • Allow IoT devices any access to Internet
            --- if the rules below don't match the above goal or has the wrong order, please suggest for improvements, thanks ---

          Setup:

          • Unifi AP on mgmnt.vlan (serving iot.vlan only)

          This is what I have so far;
          iot.png

          The problem:
          With these, tablet tries to get an IP, but fails to obtain one. Static fails also which I believe points to my rules? DHCP and DNS Resolver is enabled for iot.vlan, plenty of free addresses.

          Would someone please help me find out what is incorrect here? Thank you

          The rules are working as lots of traffic has been allowed for each rule (likely other devices than your pad). So your issue is most likely your pad or the Wifi

          Love the no fuss of using the official appliances :-)

          F 1 Reply Last reply Reply Quote 1
          • F Offline
            furom @keyser
            last edited by

            @keyser Thanks, that's good to know, a start. No obvious errors in the rule setup then I assume? They are pretty similar to @CiscoX rules, apart from the last one which I split into two.
            If so, I guess I should move this into a wireless section, if any. Thanks to both :)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.