Isolate VLAN but pass DHCP & Internet?
-
Then you did it wrong. There is nothing in those rules blocking the same. The traffic will be passed by the last rule.
-
So you either altered your rules, or went to wrong IP or port. There is nothing in those rules that stops a box on the opt net from talking to any port it wants on the firewalls opt net interface, or the wan IP via optnet.. So yeah your going to be able to hit the pfsense web gui, ssh to pfsense, etc.
-
Here is what I did.
-
Plugged laptop into correct vlan port on switch (laptop received correct IP, 192.168.20.5)
-
Browsed via Chrome to my public IP supplied from ISP on the correct port
-
Browser could not reach the gui
Could it be because I have the "Block private networks and loopback addresses" and "Block Bogons" options checked on the WAN interface?
-
-
I've added this rule to block the WAN. I've tried to browse to the WAN IP and it cant reach it..
-
Just pass the specific things on the firewall you want them to be able to access (like DNS) then block any to This Firewall (self).
-
Does that last pic of the rule set achieve what I'm after? Blocking IOTnet from everything except the internet? That's all I'm trying to do.
It seems like it does based on trying to access things from the laptop when plugged into the IOT vlan port.
-
This firewall (self) makes more sense as the destination of your last rule than WAN net.
-
This firewall (self) makes more sense as the destination of your last rule than WAN net.
As soon as I switch it to "This Firewall (self)" devices on IOT loose internet connection fyi…
-
Well post up your current rules.. Yes if you block access to the firewall before you allow for dns say then no the internet is not going to work if your using pfsense for your dns.. Or if you running a proxy and block access to the firewall before you allow the proxy port, etc. etc.
Rules are evaluated top down as traffic enters the interface, first rule to trigger wins and no other rules are evaluated. If the traffic is not allowed then it hits the default deny and would be blocked.
-
I've added the DNS NAT forward & rule that I did on the LAN interface (from the Squid setup post: https://forum.pfsense.org/index.php?topic=112335.0) to this interface as well. The devices are reaching the internet now.
If there is a better way of forcing all devices to use pfsense for the DNS (I'm using the DNS resolver) please let me know..
edit: found this: https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense
