Great job, and you also learned port forwarding, ACL ordering, alias creation and much more. I love this forum you can learn so
much. Now you just need a OpenVPN configured with a NAS server for private cloud use

@JonathanLee said in SG-2100 Network Interfaces Question:

Happy new year everyone

Happy new year to everyone !! =)

Going to meet my friend now, Mr. Jack Daniels.. Nice guy.. hehe

@ASGR71 putting a block rule to 53 just below the rule you allow 53 to pfsense IP would be a valid solution if you want to block clients on that network from talking to any normal dns on the internet.

If you are having issues with clients using dns other than pfsense. While that rule would block normal dns, it doesn't prevent clients from using doh (dns over https) or dot (dns over tls).. while dot should be easy to prevent since the standard part is 853.. And clients don't normally use dot. A forwarder would use dot to forward to some other resolver via tls.

Blocking clients from using their own dns to circumvent local dns has become an uphill battle.. Browsers deciding to use doh on their own without explicit opt-in by the user is a problem.

Blocking doh is becoming a challenge. Since it uses standard 443 port of https traffic - which is pretty much everything on the internet these days. Blocking this has come down to using lists of known doh servers and blocking the IPs.. Which can turn into a wack-a-mole game..

But if you just want to prevent some client talking to say 8.8.8.8 or quad9 or 1.1.1.1 on 53, etc.. then yeah that 2nd rule accomplishes that.

Excelllent. I added a feature request for it: https://redmine.pfsense.org/issues/14050

There are two Netgate devices that have a port marked 'LAN4'. In the 2100 that is part of the switch that is connected to the LAN interface by default and no additional config is required to use it.
In the 6100 that is a discrete NIC and not enabled by default. There you would have to enable the interface and set a firewall rule on it at a minimum to use it.

Steve

Yes you could use pools in one subnet and filter them differently using aliases but you can't filter traffic between the clients on one subnet that way. Traffic would just go between them directly without passing through pfSense. Only one interface.
Really you need to use VLANs in there to separate the traffic at layer 2.

Steve

@virgiliomi Thanks. That's a really helpful answer. I appreciate it.

The interface used by the firewall to originate this OpenVPN client connection
so typically this would be WAN.
In my case for some Sites it is not directly WAN but some Gateway Group containing different WANs.
I've never thought about switching it to any internal Interface like LAN or OPT...why did you do that? Just leave it as default.

-Rico