Separate Network
-
i added block all traffic this firewall rule at top of list on opt1 and captive portal no longer loads up.
looks like i blocked out dns or something. i dont understand how you can "keep users from using pfsense for dns"
or why, i want the users to use pfsense for dns, right?
removing this rule to get captive portal back online.
I think i got it figured out by following the instructions mentioned above -
You really ONLY want to block the management ports. Not really sure what's the goal of shooting yourself in foot with blocking all traffic!!!
-
I gave you exactly what you need to do.
-
Not sure what you want you want to do on your network, if you want your guests to use pfsense dns and be able to resolve your local names.. That is up to you - my guests get handed an IP and the isp dns - they are there as guests to use the internet connection. Not anything to do with my network. I let them ping their gateway as verification that hey the wireless is actually working, etc.
But they have no need to use my internal dns to resolve google.com - the isp dns can do that for them, etc.
What is it you want to do exactly, and then write the rules to do that.. You have been given multiple examples.
-
You really ONLY want to block the management ports. Not really sure what's the goal of shooting yourself in foot with blocking all traffic!!!
i dont want users on opt1 listening to lan traffic.
-
i dont want users on opt1 listening to lan traffic.
Huh? What? If am talking about the "This Firewall" rule. Plus, you have been given multiple solutions, really no idea what are you inventing here…
-
Not sure what you want you want to do on your network, if you want your guests to use pfsense dns and be able to resolve your local names.. That is up to you - my guests get handed an IP and the isp dns - they are there as guests to use the internet connection. Not anything to do with my network. I let them ping their gateway as verification that hey the wireless is actually working, etc.
But they have no need to use my internal dns to resolve google.com - the isp dns can do that for them, etc.
What is it you want to do exactly, and then write the rules to do that.. You have been given multiple examples.
thank you everyone for examples, i will use them.
-
here is how i ended setting this up
 -
Looks good. You can make ports alias (like, ManagementPorts or whatever) for 22+80+443 and make the first 3 rules into a single one.
-
Looks good. You can make ports alias (like, ManagementPorts or whatever) for 22+80+443 and make the first 3 rules into a single one.
Excellent i was wondering how to add multiple ports to a firewall rule.
Using alliases might help with ram and swap consumption as well.
Currently swap is
60% of 1024 MB
and ram is
65% of 467 MBHere is how i have it now and it is working fine.
 -
If you want them to be able to ping and do dns lookups, I don't see why you wouldn't pass those then block everything else. It's more sound firewall rule design.
-
If you want them to be able to ping and do dns lookups, I don't see why you wouldn't pass those then block everything else. It's more sound firewall rule design.
I tried blocking all rfc1918 traffic on the interface but i can't seem to move that rule below the rules allowing dns.
captive portal stops working. well captive portal works but dns doesnt.
when you say " It's more sound firewall rule design." what do you mean? -
Pass what you need them to have access to and block everything else. The way you're doing it if you start another service on the firewall, change your webgui port, etc you have to remember to specifically block it.
You need to add things like DNS servers to your captive portal allowed IP addresses in addition to passing the DNS traffic in the regular firewall.
