Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    Block all outgoing traffic from LAN network except VPN server for remote access

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      docf1234
      last edited by

      I'm building a virtual lab with pfSense as the gateway.  I have a VPN server running in bridged mode that gives remote (from the WAN) access to the internal LAN network.

      How do I configure the firewall to block all outgoing traffic from the LAN network to the WAN whilst still enabling the LAN clients to communicate with each other and the VPN server to provide remote access to the LAN?

      1 Reply Last reply Reply Quote 0
      • M Offline
        mer
        last edited by

        On the LAN side, all your LAN clients are plugged into the same switch infrastructure, then one link from that to the LAN port on pfSense?  If so, then pfSense would not be involved in LAN-LAN communications at all, that would go through the switch infrastructure.

        Blocking all LAN clients from going out the WAN:  add a rule on the LAN interface that is deny all from LAN to ANY, put it at the top.
        If the VPN server is a pingable address from the LAN side, the ANY in the block rule should probably be !VPNSERVER.
        WAN defaults to blocking all inbound traffic, so you may need to add a pass rule for traffic from the VPN server.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.