Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2 LANSs - need mutual exclusivity

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 3 Posters 433 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L Offline
      lastat
      last edited by

      I have dug around quite a bit and I think I don't understand because from what I have read:

      10.0.20.x/255.255.255.0
      and
      10.1.20.x/255.255.255.0

      Should not be able to see each other… but my 10.1s can see my 10.0s - but not visa versa! i.e. a computer on 10.1 can go to a web page/server on 10.0 but a computer on 10.0 cannot get to a webpage/server on 10.1. Same with SSH etc.

      What I want is mutual exclusivity.

      ALL 10.1.20.x traffic goes through pfSense LAN. The pfSense WAN goes to a LAN port of 10.0.20.x

      I have attached a network diagram.

      Also, the current router connected to ISP/CableModem must be first in line.

      Thoughts on how to establish this total isolation of 10.1?
      ![Network Diagram.png](/public/imported_attachments/1/Network Diagram.png)
      ![Network Diagram.png_thumb](/public/imported_attachments/1/Network Diagram.png_thumb)

      1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann
        last edited by

        So just exclude the 10.0.20.x/255.255.255.0 from the allow rule on pfSense LAN interface. To do so, check "invert" at destination and select "WAN net".
        This presumes that the pfSense WAN is in 10.0.20.x/255.255.255.0 and the mask is set correctly.

        1 Reply Last reply Reply Quote 0
        • L Offline
          lastat
          last edited by

          I added a new LAN rule, on top, blocking LAN Net from 10.0.20.0/24 - that works… but has a major hole. An Admin on 10.1 can simply disable this rule and then access 10.0.

          So now that I think through it, pfSense won't be the solution as 10.0 needs to consider all of 10.1 insecure while 10.1 "owns" all of 10.1.

          I guess I need something at the ESXi virtual interface or back at the router.

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            Ugh.

            On LAN1 reject destination LAN2 network then pass what you want below it.
            On LAN1 reject destination LAN1 network then pass what you want below it.

            Do not attempt to block traffic with pass rules. Explicitly block the traffic you want blocked with block/reject rules.

            That said, your design is hosed.

            If you want 10.0.20.0/24 and 10.1.20.0/24 to be firewalled, they need to be separate firewall interfaces. You are probably going to need a managed switch and the ability to tag multiple VLANs to vmware to accomplish what you want.

            2 LANSs - need mutual exclusivity

            You do not have two LANs. You have one LAN. Your hosts are out on the "WAN" as far as pfSense is concerned.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.