Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Disney Circle on it's own subnet - New to pfSense and Vlans in general

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    6 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nycone
      last edited by

      I'm new to pfSense and Vlans. I'd been running ClearOS for a decade and made the switch to pfSense last night. The issue for me was wanting to isolate Disney's Circle (an ARP spoofer to log kid's network time) on it's own subnet.

      I set up a kids vlan and subnet with dhcp. It hands out addresses well and seems to work. It works a bit too well, as I can still ping the other subnets despite following a how o on isolating subnets on pfSense.

      My question is: How do I keep all traffic from the kid's subnet from getting to the other subnets while letting it see the internet? This seems like a common desire. As I said, I followed a how to on isolating subnets, but I can still ping the network, so I must be doing something wrong.

      Any help is appreciated

      1 Reply Last reply Reply Quote 0
      • M
        marvosa
        last edited by

        The rules on each interface are outgoing, so you have add block rules accordingly on the VLAN interface.

        If you're still having issues after you've added what you feel is correct, post your firewall rules.

        1 Reply Last reply Reply Quote 0
        • N
          nycone
          last edited by nycone

          I think I got it working. I'm showing you my FW rules to see if I'm missing something:

          The first gets to the internet
          The second allows access to the subnet
          The third prevents access outside the subnet

          OPT.jpg

          NogBadTheBadN 1 Reply Last reply Reply Quote 0
          • M
            marvosa
            last edited by marvosa

            Glad it's working, however, you can omit the bottom two rules as one's unnecessary and the other is redundant.

            If we assume your "Private_IPv4" alias has the RFC 1918 private addresses in it, then all you need is the top line due to the implicit deny on the interface. The 2nd line is doing absolutely nothing since traffic destined within the same subnet does not traverse the firewall. The 3rd line is redundant and unnecessary because 1) the top line is only allowing internet traffic anyway and 2) traffic destined for the OPT2 net does not hit the firewall

            Also, I personally would make the top rule IPv4 only and then create a separate ruleset for IPv6 traffic.

            1 Reply Last reply Reply Quote 0
            • NogBadTheBadN
              NogBadTheBad @nycone
              last edited by NogBadTheBad

              @nycone said in Disney Circle on it's own subnet - New to pfSense and Vlans in general:

              OPT.jpg

              The second rule needs changing from OPT2 net -> OPT2 net to OPT2 net -> OPT2 address or OPT2 net -> This Firewall

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              1 Reply Last reply Reply Quote 0
              • N
                nycone
                last edited by

                Thanks for the feedback. I'm reading the "book" on pfSense as I go. I'm starting to get the way it works.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.