Block access to LAN from OPT1 but not internet



  • I am new to PFSense and I did a lot of searching to get this right, I was hoping someone could verify my firewall rules

    WAN
    LAN>Wired and wireless AP clients (access to LAN and Internet)
    OPT1(wirelessgues)>Wireless AP (Access to internet only)

    Everything seems to work as it should, OPT1 clients can only see the internet and not LAN clients. Here are my firewall rules for Wirelessgues (OPT1)

    Thanks
    ![12-2-2016 8-24-07 AM.jpg](/public/imported_attachments/1/12-2-2016 8-24-07 AM.jpg)
    ![12-2-2016 8-24-07 AM.jpg_thumb](/public/imported_attachments/1/12-2-2016 8-24-07 AM.jpg_thumb)



  • I would also add another rule that blocks access to This Firewall (self).



  • Thanks for the response.

    I added the rule, please let me know if this is what you meant

    ![12-2-2016 8-24-07 AM.jpg](/public/imported_attachments/1/12-2-2016 8-24-07 AM.jpg)
    ![12-2-2016 8-24-07 AM.jpg_thumb](/public/imported_attachments/1/12-2-2016 8-24-07 AM.jpg_thumb)



  • OK, but on second thought, I think you should reverse your first rule.  Instead of allowing access to NOT LAN (which is logically backwards), you should block access to LAN.  Change the PASS to BLOCK and uncheck the Invert match box.  Allowing to NOT LAN is for cases where you have multiple networks that you want them to access except for LAN.



  • Ok thanks again for the help. This is what I have now

    ![12-2-2016 8-24-07 AM.jpg](/public/imported_attachments/1/12-2-2016 8-24-07 AM.jpg)
    ![12-2-2016 8-24-07 AM.jpg_thumb](/public/imported_attachments/1/12-2-2016 8-24-07 AM.jpg_thumb)



  • Looks good to me.


  • Rebel Alliance Global Moderator

    Yeah that will work, maybe its just me?  But I like to put more specific blocks above more general blocks.

    The the more specific block of to any firewall IP would be above the more general block of access to a whole network.  But both will work.



  • @mguebert:

    Ok thanks again for the help. This is what I have now

    Unfortunately this didn't work, it blocked internet traffic. Where if I return it to the original way it works again.


  • Rebel Alliance Global Moderator

    Well you do need an allow rule below those!!!

    Did you really need that mentioned??

    Rules are evaluated top down, first rule to match wins, no other rules are evaluated.  If you get to the bottom of all the rules on that interface then the default rule which is block any any will block all other traffic.

    So if you were going to your lan network.. That first rule would say Block.. Not look at any more rules traffic would be blocked going to lan.
    your 2nd rule.. If your going to say your firewall wan IP.. That would not be your lan net so 1st rule skipped, 2nd rule say hey going to a firewall IP - which you would be so Blocked!  No other rules looked at.

    if going to say internet 8.8.8.8 for example
    1st rule - well its not lan net so skip
    2nd rule - well its not a firewall IP so skip
    ??  No more rules so BLOCK!!

    So you need a 3rd rule there that says allow any any!!

    Keep in mind your rules as posted would block users from using say the firewall for DNS.. Which is kind of given for internet to work as well.. Unless you are going to point your client to a internet based dns IP??  you would need to allow a rule between your block lan and block firewall that allows udp/tcp 53 to your firewall interface address for this network.  Then you can block all other access to the firewall with your current 2nd rule.



  • LAN has a default Allow Any rule and I didn't see that you had deleted it.  As John said, add the Allow Any rule to the bottom and everything will work.


  • Rebel Alliance Global Moderator

    He is not on his lan, he is on his opt interface.  He wants to block access to his lan.  Opt interfaces start with zero rules other than the default block, and the hidden dhcp rules if you turn on dhcp server on that interface.

    Just completely blown away that should need to mention you need an allow rule ;)  Is this the facebook feed??  If so then yeah sure those people need to sing the bunny down the hole song in their heads while they tie their shoes ;) heheheh

    Bunny ears, Bunny ears, playing by a tree.
    Criss-crossed the tree, trying to catch me.
    Bunny ears, Bunny ears, jumped into the hole,
    Popped out the other side beautiful and bold.

    Maybe we need to come up with some poems/songs/rhymes for creating firewall rules ;) hehehe



  • @johnpoz:

    Well you do need an allow rule below those!!!

    Did you really need that mentioned??

    Rules are evaluated top down, first rule to match wins, no other rules are evaluated.  If you get to the bottom of all the rules on that interface then the default rule which is block any any will block all other traffic.

    So if you were going to your lan network.. That first rule would say Block.. Not look at any more rules traffic would be blocked going to lan.
    your 2nd rule.. If your going to say your firewall wan IP.. That would not be your lan net so 1st rule skipped, 2nd rule say hey going to a firewall IP - which you would be so Blocked!  No other rules looked at.

    if going to say internet 8.8.8.8 for example
    1st rule - well its not lan net so skip
    2nd rule - well its not a firewall IP so skip
    ??  No more rules so BLOCK!!

    So you need a 3rd rule there that says allow any any!!

    Keep in mind your rules as posted would block users from using say the firewall for DNS.. Which is kind of given for internet to work as well.. Unless you are going to point your client to a internet based dns IP??  you would need to allow a rule between your block lan and block firewall that allows udp/tcp 53 to your firewall interface address for this network.  Then you can block all other access to the firewall with your current 2nd rule.

    Johnpoz,

    Thanks for your explanation. I understand it can be frustrating (I am in the tech sector, just not networking). I am a complete newbie and I have tried reading and understanding to get this working.

    That being said I have tried what you suggested. It didn't work. I am trying to get this right and I am a newbie so if I need to do something different before posting please let me know. I got it working the original way through reading the forums.

    Thanks again.

    ![12-2-2016 8-24-07 AM.jpg](/public/imported_attachments/1/12-2-2016 8-24-07 AM.jpg)
    ![12-2-2016 8-24-07 AM.jpg_thumb](/public/imported_attachments/1/12-2-2016 8-24-07 AM.jpg_thumb)



  • Thanks for all of the help. I finally got it to work. I ended up needing to change from firewall (self) to the 192.168.1.1 address then it worked.

    Does this looks as it should now?

    ![12-2-2016 8-24-07 AM.jpg](/public/imported_attachments/1/12-2-2016 8-24-07 AM.jpg)
    ![12-2-2016 8-24-07 AM.jpg_thumb](/public/imported_attachments/1/12-2-2016 8-24-07 AM.jpg_thumb)


  • Netgate

    I would make the destination on the third rule This firewall (self)

    If it doesn't work like that then there must be another service on the firewall the clients need to access. Such as DNS on another firewall IP address (not 192.168.1.1) or something.

    That specific service should be passed then all other traffic to the This firewall (self) blocked.


  • Rebel Alliance Global Moderator

    Exactly.. Not sure what you did wrong.. when you say it didn't work.. Maybe you only had tcp for dns?  But vs putting in the 192.168.1.1 address, you could use the wirelessguest address..

    And then yes that third rule should be this firewall  You might want to also allow ping to the firewall wirelessguest interface so you can verify connectivity to pfsense.



  • Thanks for all of the help and suggestions. It's working great. Thanks for the patience also.