Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Painfully simple firewall question

    Scheduled Pinned Locked Moved Firewalling
    1 Posts 1 Posters 964 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      spartasolutions
      last edited by

      Edit Solved it by setting an explicit rule passing traffic from guest net to the bridge port 53, 80, and 443.
      Ex. Pass | IPv4+IPv6 | Guest net |  *  | LAN address | 53

      So I have a single pfSense unit with a Unifi AP attached to it. With that unifi AP, I have 3 wireless networks: "Private" bridged with the LAN, Guest(VLAN 30), and Devices(VLAN 20). Guest and Devices have their own interfaces, dhcp servers, and are located on different subnets.

      Similar to the DNS Resolver, I'm using NxFilter to handle the DNS. It's installed on my pfSense and uses ports 53 (DNS), 80 (HTTP), and 443 (HTTPS). The WebGUI has been moved to another port for access. With the DNS Resolver disabled, NxFilter has become the DNS server and works great on both the bridge (LAN + Private Wifi), and on the Devices wifi.

      Now, the guest network will be open and utilizing the captive portal for authentication. Because of this, I was to block all traffic except traffic going outward (no subnet communication). I've at least attempted an ASCII diagram below

      WAN
      |
      |
      |
      pfSense–---------------------------------
      |  |--------------------------                    |
      |                                          |                  |
      |                                          |                  |
      |                                          |                  |
      LAN/AP Bridge            Guest(V30)        Devices(V20)

      pfSense (192.168.2.1), NxFilter (192.168.2.1)
      Bridge: 192.168.2.0/24 (DHCP 192.168.2.20-192.168.2.200) DNS: 192.168.2.1
      Devices: 192.168.20.0/24 (DHCP 192.168.20.20-192.168.20.200) DNS: 192.168.2.1
      Guest: 192.168.30.0/24 (DHCP 192.168.30.20-192.168.30.200) DNS: 192.168.2.1

      Now note that my firewalls are very general because this isn't a strict deployment but heres what I have so far

      Bridge Interface of LAN_PORT(original LAN) and the private wireless network (no vlan)

      Member interfaces of the bridge, allow all

      The devices wireless network (vlan 20). DNS resolution and communication is working for this interface

      Lastly the guest wireless network (vlan 30). No dns resolution (nslookup request timeout)

      Basically, everything is working as it should except for on the guest wireless network. The network (on windows) shows no internet. nslookup using the dns server (that it receives correctly from DHCP) does not work (DNS Request times out). Nslookup on the bridge subnet and the devices subnet work properly and everything functions.

      I'm sure it's how I'm handing blocking the connect to the guest network but I can't figure it out. I've tried pass all rules with no luck. Note that I'm using avahi to allow discovery between the private and devices subnet (think chromecast, etc) so that might be an avenue to look down?

      Thanks guys

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.