Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Creating isolated NIC

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 3 Posters 495 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y Offline
      yeleek
      last edited by

      Hi,
      Following on from this thread (https://forum.netgate.com/topic/160866/dangers-of-upnp?_=1613582533951) I am trying to create a 'dirty nic', which I will then attach an AP too.

      I want this NIC to have full WAN access, but no access to the existing LAN or WIFI interfaces (or networks)

      I tried creating a rule from badwifi interface of :
      IPV4*
      Source: Badwifi-net
      Destination: WAN-net
      With any port, but i fail to get a response from 8.8.8.8

      If I create a rule with:
      IPV4*
      Source: Badwifi-net
      Destination: Any
      With any port, and it works fine (i.e. get a response from 8.8.8.8).

      The problem with the second rule though is that devices on badwifi-net can get to LAN and WIFI addresses.

      What am i doing wrong please? I just want badwifi-net to be able to get to Internet resources (including 8.8.8.8) but no resources on LAN/WIFI. I then plan to enable UPnP on badwifi-net for my sons xbox.

      Thanks in advance.

      S 1 Reply Last reply Reply Quote 0
      • S Offline
        SteveITS Rebel Alliance @yeleek
        last edited by

        "Destination: WAN-net" allows to that subnet only and you're trying to get to "the world." I would add a rule above the "Destination: Any" one that blocks from Badwifi-net to LAN, and Badwifi-net to WIFI.

        Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 1
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by

          Yeah you need at least two rules, so for example:

          Deny Badwifi-net to LANnet
          Pass Badwifi-net to any

          But you probably actually want:

          Pass Badwifi-net to Badwifi-address UDP port 53. Allow DNS
          Deny Badwifi-net to 'This Firewall'
          Deny Badwifi-net to LANnet
          Pass Badwifi-net to any

          Steve

          1 Reply Last reply Reply Quote 1
          • Y Offline
            yeleek
            last edited by

            Great thanks all.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.