Configuration of a Dedicated Management Interface on a SG-3100

olgam1rth · Jul 10, 2019, 1:16 PM

I'm setting up an SG-3100 and I'd like to configure the OPT1 interface as a
management interface such that it would be the only interface that could access
the WebUI and SSH ports on the SG-3100. This would be very similar to the
write-up at

https://docs.netgate.com/pfsense/en/latest/firewall/restrict-access-to-management-interface.html

only I would be permitting access on the OPT1 port and completely denying access
on the LAN ports. I followed this write-up pretty much as is except I did not deny
access to the LAN and I did not disable the anti-lockout rule (just in case there were
problems)

I configured the OPT1 int using the IPv4 addr 192.168.100.1/30 and my laptop
as 192.168.100.2. My problem is that the only way to access port 443 on the
SG-3100 is to make a firewall rule that permits all traffic on the OPT1
interface, not just traffic across ports tcp:22 and tcp:443. I've tried not using
aliases and just use the specific IP addresses of the OPT1 int and the
laptop. Again, the only way to permit traffic is to open it up to all
ports.

Is this expected behavior or when moving to a dedicated interface do I need
to open up some other ports or protocols?

Thanks,
Mike

Rico · Jul 10, 2019, 1:18 PM

Post your Rules (Screenshots).

-Rico