Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to setup guest network on OPT1

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 4 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      janderson2k
      last edited by

      Is there a quick guide for setting up a guest network using OPT1 or OPT2?  I want it to be on a separate subnet from my LAN connection, have no access to the LAN (for the LAN to the OPT1 network).  I appreciate the help!

      1 Reply Last reply Reply Quote 0
      • J
        janderson2k
        last edited by

        Basically looking for the following:  1 WAN and two separate physical LAN's.  1 on using the LAN port and the other using the OPT1 or OPT2 port.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Well create the rules you want on your lan and opt interfaces to not allow the traffic you want.. Out of the box lan would be able to create any connections it want to opt network because the default rules on lan are any any.

          But your opt network would have no rules, and opt network would not be able to go anywhere.  So if you don't want opt to go to lan, then create a block rule on opt 1 blocking access to lan network. before you create your allow rules to get to internet.

          Same goes on your lan interface, create a block rule that blocks access to opt network.

          Rules are evaluated top down, first rule to trigger wins - no other rules are evaluated.

          Do you need a picture?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • J
            janderson2k
            last edited by

            That was super helpful in confirming what I had done already.  I appreciate that, thank you.  Also - I can just create a DHCP pool for that interface like normal right?

            Technically after this point my router has two LAN IP's right?  one for each subnet?

            1 Reply Last reply Reply Quote 0
            • P
              phil.davis
              last edited by

              @janderson2k:

              That was super helpful in confirming what I had done already.  I appreciate that, thank you.  Also - I can just create a DHCP pool for that interface like normal right?

              Technically after this point my router has two LAN IP's right?  one for each subnet?

              Yes, "LAN" and "OPT1" become both local private subnets and each has an IP address in its subnet. As you say, just create a DHCP pool that is some part of the IP address range in each subnet.

              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                "That was super helpful in confirming what I had done already."

                Confirming what - you posted ZERO to what you had done or even thought of doing..

                Do you need a picture?  Post up what you have DONE!!

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • J
                  janderson2k
                  last edited by

                  LOL, "confirming what"?  Confirming that I had done exactly as you had recommended (thank you) prior to you suggesting it.  But - non the less, I am still having some issues and would def appreciate your further help.  I have my pfsense box passing IP's on the opt 1 (we will call it guest) network but I cannot access the internet from the guest network.

                  Here is a pic of what I have for rules:
                  states : 0/0b
                  Protocol :IPv4*
                  Source : opt1 guest net
                  port : *
                  Destination : wan address (had this as wan net as well)
                  Port : *
                  Gateway : *

                  1 Reply Last reply Reply Quote 0
                  • P
                    phil.davis
                    last edited by

                    I will assume that is a pass rule.

                    You are only allowing clients on "opt1 guest net" to reach exactly 1 IP address - "WAN address". So they are going to be rather restricted  ;) Actually you said that you want them to be able to reach "the internet".

                    You need to first put a block rule with source "opt1 guest net" and destination "lan net" - that will stop opt1 from reaching lan.

                    Then put a pass rule with source 'opt1 guest net' and destination "*" - that will let anything else through to the "big bad internet".

                    Then test from a client in opt1.

                    As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                    If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                    1 Reply Last reply Reply Quote 0
                    • ?
                      Guest
                      last edited by

                      Basically looking for the following:  1 WAN and two separate physical LAN's.  1 on using the LAN port and the other using the OPT1 or OPT2 port.

                      WAN as it is served to you by your ISP
                      LAN1 with 192.xxx and DHCP range from 192.xxx.20 to192.xxx.50
                      OPT1 as LAN2 with 172.xxx and DHCP range from 172.xxx.20 to 172.xxx.50

                      What exactly was now the problem? You can realize either that with managed or unmanaged switches likes you want!

                      Technically after this point my router has two LAN IP's right?

                      Right, and both must now configured likes you want to allow or deny the traffic between them.

                      one for each subnet?

                      Yes, you got now two totally different subnets (CIDR) with private IP address ranges or pools and its own DHCP server for each.
                      Now you should overthink what to allow or to deny for them and their clients.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.