Best way to isolate an IP from everything BUT the internet

ice_mf_mike

@Derelict:

Same subnet traffic is not processed by the firewall at all. This is fundamental IP networking/routing.

You can create a VLAN on the existing interface and set it to tagged on the switch.

If igb1 goes to the switch:

Create VLAN 20 on igb1 Interfaces > Assignments, VLANs

Interfaces > Assignments and create new OPTX interface using VLAN 20 on igb1

Edit the interface, enable it, number it, enable a DHCP server for it, etc.

Create a pass any any firewall rule on OPTX

Tag VLAN 20 on the switch port going to igb1

Put a switchport untagged on VLAN 20

Connect a test device to it. Be sure you get an address in the correct scope, can get out to the internet, etc.

Tighten the firewall rules as described above.

Ok i have a new inteface for vlan on opt1.  But i dont see an option to enable dhcp for that interface.  On the interfaces page i do have dhcp enabled.

Derelict

Services > DHCP Server

I didn't outline every click necessary.

ice_mf_mike

@Derelict:

Services > DHCP Server

I didn't outline every click necessary.

Yes, my screenshot was from that page.  It only gives me the option to adjust the LAN interface.

Derelict

Then you hosed up the numbering of the new OPTX interface. You probably set a /32 netmask there.

ice_mf_mike

@Derelict:

Then you hosed up the numbering of the new OPTX interface. You probably set a /32 netmask there.

I used a /24.

Any other ideas?

Derelict

You need to statically set annb address on the new interface to the new subnet you want on that interface. Do it just like LAN.

ice_mf_mike

@Derelict:

You need to statically set annb address on the new interface to the new subnet you want on that interface. Do it just like LAN.

So you mean i should use /32?

Derelict

No.

You are making a new subnet on a new interface. You need to number the interface then create a DHCP server.

Example interface configuration attached.

ice_mf_mike

@Derelict:

No.

You are making a new subnet on a new interface. You need to number the interface then create a DHCP server.

Example interface configuration attached.

Thanks!  The static ip did the trick. Ok.  So i have the opt interface configured.  DHCP configured.  the computer plugged into the opt1 port on the sg-3100.  But it will not pull an IP address.  Static does not allow it to connect to anything either.

Any ideas?


Derelict

Did you make a VLAN or not?

When the device is connected to the port does the status go to up in Status > Interfaces?

You have protocols TCP and UDP on your firewall rule. That will not pass pings, for instance. Change that to protocol any unless you can articulate why you need just TCP/UDP.

https://doc.pfsense.org/index.php/Connectivity_Troubleshooting

ice_mf_mike

@Derelict:

Did you make a VLAN or not?

When the device is connected to the port does the status go to up in Status > Interfaces?

You have protocols TCP and UDP on your firewall rule. That will not pass pings, for instance. Change that to protocol any unless you can articulate why you need just TCP/UDP.

https://doc.pfsense.org/index.php/Connectivity_Troubleshooting

Yes i made a VLAN when first started.  Used 320 as the ID.  Also the interface shows as up.

Derelict

Then you have to tag the traffic with VLAN ID 320. You mighht be able to do that in the NIC settings on your computer, but it would probably be easier to connect it to a switch that is configured for TAGGED VLAN 320, then connect your test device to a port on the switch that is UNTAGGED for VLAN 320.

ice_mf_mike

@Derelict:

Then you have to tag the traffic with VLAN ID 320. You mighht be able to do that in the NIC settings on your computer, but it would probably be easier to connect it to a switch that is configured for TAGGED VLAN 320, then connect your test device to a port on the switch that is UNTAGGED for VLAN 320.

Im using a SG-3100.  How can i do that with this hardware?

Derelict

Post your Interfaces > Assignments screen

And Interfaces > Switches, Ports

And Interfaces > Switches, VLANs

ice_mf_mike

@Derelict:

Post your Interfaces > Assignments screen

And Interfaces > Switches, Ports

And Interfaces > Switches, VLANs

posted.  Thanks again for the help here.


Derelict

You cannot do it in the switch there. mvneta0 is not part of the built-in switch. If you really want to use that OPT1 port, and don't want to hassle the VLAN or put a switch on it, then just change the assignment for  OPT1 to mvneta0 instead of VLAN 320 on mvneta0 and it will start working.

ice_mf_mike

@Derelict:

You cannot do it in the switch there. mvneta0 is not part of the built-in switch. If you really want to use that OPT1 port, and don't want to hassle the VLAN or put a switch on it, then just change the assignment for  OPT1 to mvneta0 instead of VLAN 320 on mvneta0 and it will start working.

ok perfect.  That worked.  So let me ask you one last question.  If i wanted to do this for one of my LAN ports, is that possible?  Or is my best best connecting a switch to the opt1 port and using that for anything i want segmented from the rest of the network?

Thanks again.

Derelict

You could tweak the switch into doing what you want by putting it in dot1q mode with VLAN 320 on mvneta0, then configuring the switch to be tagged on port 5 and untagged on one of the 4 edge ports.

But if you're happy with how you have it just connect OPT1 to a switch (managed or unmanaged) and connect all of the devices you want on that network to that switch.