Opt1 interface setup

weehooey

malcmail - I owe you an apology. I read your post too quickly. jahonix is correct, my reply would not do what you wanted.

jahonix - Thank you for pointing out my mistake. One question, had he wanted to just add wireless, why is it better to use a switch than to use Opt1? I have seen that comment before but unclear as to why. The only thing that comes to mind is to off load the switching of the LAN traffic to the switch (should be cheaper device). Is there another reason?

malcmail - Regarding your follow up questions. Are you pinging an IP address or hostname? If you are pinging a host name, try IP address (eg 8.8.8.8). You might not have DNS.

malcmail

weehooey - no problem. We've all done it. I tried pinging Google by number rather than name to check if it was DNS but no joy sadly.

SO checking again I can ping the wireless AP from the client device but not the opt1 interface at 192.168.10.1. But the device has n IP address in the right subnet - and that is only being handled by pfsense as there is no DHCP on the wireless AP. I thought I was confused before!!

Gertjan

Just checking here …
Are you aware of the fact that the LAN interface is "delivered" with a default pass-all rule ?!
And that all other interfaces you activate afterwards (OPT1, OPT2, etc) have NO firewall rules, so NOTHING gets in - like DHCP requests ?!?

With other words : what are your firewall rules for OPT1 ?

malcmail

Yup. Spotted that one. So on Opt1 I have copied the LAN rules (changing the interface of course). Hopefully the attached shows enough of the rules to highlight any likely errors.

![OPT1 firewall rules.JPG](/public/imported_attachments/1/OPT1 firewall rules.JPG)
![OPT1 firewall rules.JPG_thumb](/public/imported_attachments/1/OPT1 firewall rules.JPG_thumb)

Gertjan

@malcmail:

Yup. Spotted that one. So on Opt1 I have copied the LAN rules (changing the interface of course). Hopefully the attached shows enough of the rules to highlight any likely errors.

Your image show the OPT1 firewall rules ?
"LAN Net" is NOT "OPT1 Net".
Can you show the OPT1 firewall rules ? (because we are talking OPT1 setup, not LAN setup).

malcmail

And there we have it. The bonehead move that i inevitably made. Duh! Thanks very much for your help there.

jahonix

@weehooey:

had he wanted to just add wireless, why is it better to use a switch than to use Opt1?

A router interface is in no way a substitution for a switchport.
With a software based router each packet has to go all the way down to the kernel and back up to the interface again. Compare that to a switch where packet-pushing is handled in hardware within its chipset.

jahonix

And for blocking WLAN to LAN create a rule to block From: Opt1 Net To: LAN Net above any allow rule.

malcmail

Thanking you Sir. I presume that still allows the LAN clients to access anything on OPT1?

If I want to open one item (a printer) to OPT1 users I presume I canset up an allow rule before the deny rule to allow OPT1 net to access 192.168.1.{printer] (clearly with a number instead).

ANd then it is on to traffic shaping :) And maybe captive portal just for a laugh frankly ;)

jahonix

@malcmail:

I presume that still allows the LAN clients to access anything on OPT1?

Sure, you always filter what is coming IN on a specific interface.
What's coming from your LAN is OUT on Opt1 interface. If you wanted to filter that it would be on the LAN rules tab.

@malcmail:

If I want to open one item (a printer) to OPT1 users I presume I canset up an allow rule before the deny rule to allow OPT1 net to access 192.168.1.{printer] (clearly with a number instead).

Exactly.