Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to restict LAN interface

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      sinac
      last edited by

      I feel really stupid having to ask this since it is actually a pretty forward situation:

      I have a pfsense routing between two public subnets. NAT is disabled of course and everything works fine. Now I want to restrict any traffic directed to the LAN and WAN interfaces, so that pfSense routes everything from WAN to LAN (which are both public and equaly untrustworthy) and vice versa. The only way to connect to the WebGUI shall be through VPN.

      I disabled WebGUI Anti-Logout, configured the VPN and applied only these Firewall rules:

      LAN:
      Proto: *, Source: , Port: , Destination: !LAN address, Port:, Gateway:

      WAN:
      Block RFC 1918
      Block Bogon
      Proto: *, Source: , Port: , Destination: !WAN address, Port:, Gateway:

      IPSec:
      Proto: *, Source 10.254.254.1, Port: , Destination: , Port:, Gateway:

      Thats it. On both interfaces everything that is not for the firewall itself should pass.Everything else is to be tossed by the default deny rule. This works like a charm for the WAN Interface, but not for the LAN Interface.

      Am I missing anything?

      1 Reply Last reply Reply Quote 0
      • C Offline
        clarknova
        last edited by

        Are you using DNS forwarding? If so, LAN clients will need access to port 53 of the LAN address.

        db

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.