Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Private game server behind pfsense

    Scheduled Pinned Locked Moved General pfSense Questions
    10 Posts 4 Posters 1.4k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ? Offline
      A Former User
      last edited by

      Hi all, been searching the forums for suggestions but have come up pretty dry.
      I'm building a private server for a popular MMO. I want it completely isolated from all my LAN traffic. If I get a 3rd network card for the server, what more would I need to do? Can someone give me a heads up into the proper starting point?

      thanks

      1 Reply Last reply Reply Quote 0
      • M Offline
        marvosa
        last edited by marvosa

        If you're isolating it physically, then you'll need a 2nd switch in addition to that 3rd NIC.

        Otherwise, you can add a managed switch and use VLANs.

        1 Reply Last reply Reply Quote 0
        • KOMK Offline
          KOM
          last edited by

          It''s literally as simple as adding a firewall rule to that interface that blocks traffic to LAN.

          1 Reply Last reply Reply Quote 0
          • ? Offline
            A Former User
            last edited by

            @marvosa said in Private game server behind pfsense:

            If you're isolating it physically, then you'll need a 2nd switch in addition to that 3rd NIC.

            Otherwise, you can add a managed switch and use VLANs.

            The only device on the network is the game server, there will not be any other devices. What do I need the 2nd switch for? The setup, I thought, would be as simple as a network cable from the opt1 interface to the server PC.

            @kom said in Private game server behind pfsense:

            It''s literally as simple as adding a firewall rule to that interface that blocks traffic to LAN.

            Thank you, didn't know if I should take it to another level. Just wanted security by isolation and wasn't sure if there was more I should/could do

            M 1 Reply Last reply Reply Quote 0
            • stephenw10S Offline
              stephenw10 Netgate Administrator
              last edited by

              You should just be able to connect the server directly if you don't need any other devices on that subnet. Unless it's not using Gigabit Ethernet (unlikely) in which case you might need a cross-over cable.

              If you only have incoming connections to the server you don't necessarily need any rules on the OPT1 interface, all traffic from the server is blocked. However you will probably need the server to fetch updates etc so it will need rules to allow it to reach DNS and external IPs at least. Simply by omitting any rules that allow access to LAN though it will be isolated.

              Steve

              1 Reply Last reply Reply Quote 0
              • ? Offline
                A Former User
                last edited by

                Yeah there will be incoming connections to the server, I just wanted to ensure that there's no way a curious player could find their way into my personal LAN. I added a rule for the OPT1 interface (the server) to allow all protocols to any destination, then added another rule that simply blocks all source traffic from OPT1 to LAN. Does that sound right?

                1 Reply Last reply Reply Quote 0
                • stephenw10S Offline
                  stephenw10 Netgate Administrator
                  last edited by

                  That will work as long as the block rule is above the pass rule.

                  Steve

                  ? 1 Reply Last reply Reply Quote 0
                  • ? Offline
                    A Former User @stephenw10
                    last edited by

                    @stephenw10 Fortunately I was able to figure that out. Any other security suggestions? Thanks for the help

                    1 Reply Last reply Reply Quote 0
                    • M Offline
                      marvosa @Guest
                      last edited by marvosa

                      @bumzag said in Private game server behind pfsense:

                      @marvosa said in Private game server behind pfsense:

                      If you're isolating it physically, then you'll need a 2nd switch in addition to that 3rd NIC.

                      Otherwise, you can add a managed switch and use VLANs.

                      The only device on the network is the game server, there will not be any other devices. What do I need the 2nd switch for? The setup, I thought, would be as simple as a network cable from the opt1 interface to the server PC.

                      @kom said in Private game server behind pfsense:

                      It''s literally as simple as adding a firewall rule to that interface that blocks traffic to LAN.

                      Thank you, didn't know if I should take it to another level. Just wanted security by isolation and wasn't sure if there was more I should/could do

                      Why do you need a 2nd switch? You will want a 2nd switch for a proper design. Without it, you leave that segment of your network without a switched fabric.

                      Can you plug your server directly into the OPT1 NIC, technically yes, but PFsense isn't a switch and shouldn't be used as one. Trying to leverage the PFsense NIC's as switches can lead to performance issues.

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator
                        last edited by

                        You don't need a switch if there are only two hosts in the segment, there is no switching to be done. IMO at least.

                        I wouldn't use a switch there.

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.