[SOLVED] Very simple Firewalling for Guest-Network

  • Hi!

    I'm using a VLAN on my pfsense, in which only guests will appear, as it is connected to our guest-wifi.
    For this purpose I activated dhcp and dns on this device.
    So clients should be able doing two things:

    • using the DNS-caching-service
    • surfing the internet

    I implemented this by setting two firewall rules:

    • TCP/UDP Port 53 from guest net allowed to (which is the IP of pfsense in this VLAN)
    • any protocol from any port to !LAN_VPN allowed (LAN_VPN is an alias for and

    Is this how it's supposed to be done?
    I'm unsure about the second firewall-rule. I'm a little uncomfortable with this kind of inverting a rule rather than saying "you can do anything, as long as your direction is the internet and not our LAN or VPN".

  • LAYER 8 Global Moderator

    Well are any of your other networks fall in 192.168/16 or 172.17-31 since you have the wrong mask on that rfc1918 network you posted.

    Here is the rules on my guest network.. see if that helps.

    I don't even let guest use pfsense as dns (dhcp hands them public dns), I let them ping the gateway.  So they can validate their wifi is working that for.  After that I don't let them talk to any ip on pfsense at all.  that is that reject rule - this even prevents them from talking to pfsense wan IP which would not be rfc1918.

    I then let them go anywhere where they want as long as not rfc1918 which would be my networks..

  • Ah, I had a typo in my private LANs… thanks!

    Ok, so basically you're doing the same.
    Why do you want to keep them away from the WAN-Interface?
    And why do you use public DNS-Servers? I'm not sure, if the risk of using the pfSense DNS is too high...

  • LAYER 8 Global Moderator

    Its up to what you want to do.. Why do they need to talk to my wan?  I see no reason for them to..  Why do they need to use my dns?  Why would they "need" to resolve anything on my network?  I don't let them talk to it anyway.

    Only reason I allow them to ping is its a good check that their wifi is up and working.

    Why do you not want them talking to your other networks?  Same logic goes for why I don't want them talking to my pfsense wan, etc.  Is it my tinfoil hat talking??  Maybe - but security is always min permissions required.. They need to use the internet, ok - that is what they can do.  They have no need to talk to pfsense on any interface, they have no need to ask it for dns, etc..

  • Ah, so you have your DNS configured to resolve names in your own network? Ok, that way I understand why you do not want the clients to use your DNS.
    I only use it as a Caching Server and I think that way it's faster than using public DNS-Servers.

    But I absolutely agree with you: Security means white-listing ;-)

  • LAYER 8 Global Moderator

    So you have no local devices or need to resolve them?  Or you use some other local dns for your normal network and pfsense dns is only caching and for your guest?

  • I don't need any devices to be resolved by my pfSense.
    So it doesn't provide ANY local domain-names/addresses to anyone/any VLAN and is only working as a Caching-Server.

  • LAYER 8 Global Moderator

    Then sure why not let your guests use it, yeah.

  • Alright :-)
    Thanks for your help!