Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Proper Destination for Internet?

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 351 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • CreationGuyC Offline
      CreationGuy
      last edited by

      If I have a VLAN that I only want to have access to the internet, what's the best practice?

      Right now, I have this particular VLAN set up to block access to login into the system, block access from other VLANs, those said VLANs are configured to not have access to this VLAN.

      Would I just mark the destination as any or select one WAN net?

      I hate asking this question, I do have a basic understanding of the system, just want to better understand.

      S JKnottJ 2 Replies Last reply Reply Quote 0
      • S Offline
        SteveITS Rebel Alliance @CreationGuy
        last edited by

        @creationguy It's a matter of putting the rules in order. Something like:

        VLAN interface:
        allow from VLAN Net to pfSense for DNS (53, TCP+UDP)
        block from VLAN Net to pfSense (this firewall)
        block from VLAN Net to LAN Net
        allow from VLAN Net to any

        LAN interface:
        block from LAN Net to VLAN Net
        allow from LAN Net to any

        "WAN Net" is the network of the WAN IP address, probably local to the router and its gateway.

        Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
        Upvote 👍 helpful posts!

        CreationGuyC 1 Reply Last reply Reply Quote 0
        • CreationGuyC Offline
          CreationGuy @SteveITS
          last edited by

          @steveits
          OK, I was on the right track then. I made a rule that I can toggle on to allow the NVR to pull in an update and then shut it right off.
          Screenshot 2022-09-28 at 12-58-46 TheWall.jrfam.lan - Firewall Rules CAMLAN.png
          90 Net blocks is just an alias that 90 (camlan vlan) can't access.

          1 Reply Last reply Reply Quote 0
          • JKnottJ Offline
            JKnott @CreationGuy
            last edited by

            @creationguy

            Here are my rules for my guest WiFi. They allow only access to the Internet and also pinging the interface it's connected to.

            7ad4d54d-c6af-40da-b6a8-69de75ec7b3e-image.png

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.