Separate Network
-
Something like this on your OPT1 interface.
-
looked in firewall rules for opt1 and i see *
I added a block rule above that for all IPv4 + 6 traffic- Source * Port Destination LAN net * Port * Gateway.
i'll report test results
- Source * Port Destination LAN net * Port * Gateway.
-
You pretty much nailed it.
Not as granular as Derelict showed but does exactly what you want. -
So Derelict curious are you running local networks that are not rfc1918? Curious on the reject to rfc1918 as well as local networks? I see no point in that 2nd rule unless your running non rfc1918 locally?
-
Sometimes. It is redundant in many cases. For most simply blocking RFC1918 is probably all they need to do and it would be set and forget.
-
another beginner problem. I'm still able to acess the pfsense web login at 192.168.0.1 (opt1 network). i'm sure there is a setting in pfsense to block this.
and i did read this.
https://doc.pfsense.org/index.php/Restrict_access_to_management_interface
can this be made simpler?
clients on ap's on switch connected to opt1 need to be able to access captive portal.
-
And lets see your rules.
-
And lets see your rules.
attached
 -
The fourth rule in my example (This firewall) would block that. As would blocking all RFC1918, also in my example.
I use the This firewall rule because it covers every interface on the node including any WANs. (Try it - bring up the webgui by accessing it from the inside using your WAN address)
Pass specific local traffic (DNS and Ping)
Block more general local traffic (All RFC1918, This firewall, Specific local networks)
Pass everything else (The Internet) -
Yeah so your block rule stopping you from talking to lan net does not stop you from talking to pfsense interface in opt1 network. Or say your wan interface. While your allow rule allows you to go anywhere you want that did not get triggered by the block rule of lan net
You could add a firewall rule dest "this firewall" that would bock you from talking to anything pfsense might be listening on - keep in mind this would prevent from even talking to dns on pfsense. Here are my rules I have set on my guestwlan - that keeps it from even using pfsense for dns and just allows ping to pfsense
-
i added block all traffic this firewall rule at top of list on opt1 and captive portal no longer loads up.
looks like i blocked out dns or something. i dont understand how you can "keep users from using pfsense for dns"
or why, i want the users to use pfsense for dns, right?
removing this rule to get captive portal back online.
I think i got it figured out by following the instructions mentioned above -
You really ONLY want to block the management ports. Not really sure what's the goal of shooting yourself in foot with blocking all traffic!!!
-
I gave you exactly what you need to do.
-
Not sure what you want you want to do on your network, if you want your guests to use pfsense dns and be able to resolve your local names.. That is up to you - my guests get handed an IP and the isp dns - they are there as guests to use the internet connection. Not anything to do with my network. I let them ping their gateway as verification that hey the wireless is actually working, etc.
But they have no need to use my internal dns to resolve google.com - the isp dns can do that for them, etc.
What is it you want to do exactly, and then write the rules to do that.. You have been given multiple examples.
-
You really ONLY want to block the management ports. Not really sure what's the goal of shooting yourself in foot with blocking all traffic!!!
i dont want users on opt1 listening to lan traffic.
-
i dont want users on opt1 listening to lan traffic.
Huh? What? If am talking about the "This Firewall" rule. Plus, you have been given multiple solutions, really no idea what are you inventing here…
-
Not sure what you want you want to do on your network, if you want your guests to use pfsense dns and be able to resolve your local names.. That is up to you - my guests get handed an IP and the isp dns - they are there as guests to use the internet connection. Not anything to do with my network. I let them ping their gateway as verification that hey the wireless is actually working, etc.
But they have no need to use my internal dns to resolve google.com - the isp dns can do that for them, etc.
What is it you want to do exactly, and then write the rules to do that.. You have been given multiple examples.
thank you everyone for examples, i will use them.
-
here is how i ended setting this up
 -
Looks good. You can make ports alias (like, ManagementPorts or whatever) for 22+80+443 and make the first 3 rules into a single one.
-
Looks good. You can make ports alias (like, ManagementPorts or whatever) for 22+80+443 and make the first 3 rules into a single one.
Excellent i was wondering how to add multiple ports to a firewall rule.
Using alliases might help with ram and swap consumption as well.
Currently swap is
60% of 1024 MB
and ram is
65% of 467 MBHere is how i have it now and it is working fine.
