• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Blocking Access Between Subnets/Interfaces

Scheduled Pinned Locked Moved Firewalling
5 Posts 3 Posters 8.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mjpatera
    last edited by Mar 8, 2017, 2:12 AM

    Let me start by saying I've only been using pfSense for about a week so I really don't know what I'm doing. I've got everything setup and working with just the default firewall settings. I've searched the forums but can't find exactly what I'm looking for.

    My network interfaces are setup as below:
    pfSense 2.3.3 running on Dell Optiplex 790 with 4 NIC's
    -WAN
    -LAN- 192.168.1.xxx- DHCP Server Enabled On LAN- NAS, my PC's,
    -OPT1- 10.0.1.xxx- DHCP Server Enabled on OPT1- IoT devices, kids iPads, TV's, Guests
    -OPT2- 10.0.2.xxx- Security Camera Server

    Everything works and connects to the internet like I want but the issue i'm having is that all interfaces are also communicating with each other. I can ping any device connected to OPT1 while I'm connected to LAN. I want all interfaces to have access to internet but don't want them talking to each other.
    I've played with a few firewall rules on all interfaces trying to block traffic but it's not working. I can check the box to block private networks on the interface setup tab and it will block traffic like I want but it also blocks internet access.

    What rules do I need to create to accomplish this? Thanks in advance for the help.

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by Mar 8, 2017, 11:59 AM

      Rules are evaluated on interface traffic enters pfsense top down first rule wins and no other rules are evaluated.

      If you do not want opt1 to talk to lan then top rule block opt1 network from lan network on the opt1 interface tab in firewall, your allow rules to internet after that..

      example attached of how I do it..

      So I let my dmz segment (just an opt interface)

      Ping pfsense address in the dmz
      Use dns on pfssense dmz address
      allow devices on dmz segment to talk to my ntp servers
      BLOCK all access to any other firewall IP, be it dmz interface, lan interface, wan interface, etc.
      I then allow any any as long as its not to a local network.. ie the ! (bang) or NOT rfc1918 - that alias contains 10/8, 192.168/16, 172.16/12 so if our going to any of my other networks or any future network I bring up you wold be blocked - but as long as your not going to a rfc1918 address (ie the internet) then your allowed.

      dmzrules.png_thumb
      dmzrules.png

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      1 Reply Last reply Reply Quote 0
      • N
        nfr
        last edited by Mar 8, 2017, 10:03 PM Mar 8, 2017, 9:58 PM

        Make sure to create these rule above the allow to any rules. First create a LAN rule blocking traffic out of your LAN to OPT1 by using the OPT1 net network as the destination. Create a second rule to block LAN to OPT2 by using the OPT2 net network as the destination. On the OPT1 network create rules blocking traffic destined for LAN and destined for OPT2. On OPT2 create rules blocking traffic to LAN and OPT1.

        If you want to get to devices from the LAN to the other side just disable or remove the rule blocking the traffic from that network to the one you want to access.

        1 Reply Last reply Reply Quote 0
        • M
          mjpatera
          last edited by Mar 8, 2017, 10:56 PM

          Thanks for the help guys. That worked. I thought I had tried that already but apparently I did something wrong.

          1 Reply Last reply Reply Quote 0
          • M
            mjpatera
            last edited by Jun 28, 2017, 1:06 AM

            Hey guys,

            These firewall rules have been working for me but I want to modify it a little. I still want to block all traffic between LAN and OPT 1, except for one specific IP address. Can I add a pass rule to the top of the list allowing traffic to the single address then have the block OPT net under that? I have a FreeNAS box and my personal laptop that I keep on the LAN network and everything else in the house connects to OPT1. On the FreeNAS I have installed a PLEX add-on so it's IP address is also on the LAN net. I want everything on OPT1 to be able to talk to the PLEX IP address but be blocked from everything else on that network.

            Thanks
            Mark

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received