<![CDATA[Guest access - Deny Local Nets - Allow Internet]]>Hello i'm a pfSense beginner , but have done Cisco Pix/ASA before.
I'm not a firewall guru, but knows IP and 3-way handshakes etc.

On my new Home network i have installed a pfSense Box , with several tagged vlans.
I have set the pfSense up as DHCP Proxy , and DNS Resolver (both using my existing linux as DNS & DHCP forwarding)

I'm trying out rules for the first time now , and have a a "Guest"  Vlan20 , where i would like to allow guests the following:

1: Get DHCP,DNS & NTP from "This Firewall" (TFW)
2: Deny all acces to my "Other Local Lans"
3: Allow full access to the Internet

The attached rules seems to work ok, but is there a more elegant way to do it.

Rule 1: Permit Guest Vlan range - "Alias" UDP 53,67:68 and 123  - to TFW.
Rule 2: Permit Guest Vlan range - IP * - to !Local-Lan "Alias"

I still haven't gotten my head around the "Gateway" field in the rules yet.
Could one use that for not accessing "Local_Lan"

TIA
/Bingo

Ps:
I think i got a DHCP ip address before i specifically allowed UDP 67:68 on the interface.
Is this a special case , i mean id the DHCP Proxy IF's allowed wo. any rules.
Or was my Linux test machine just reusing the last assignment ?

Selection_2017061421:36:30.png
Selection_2017061421:36:30.png_thumb

]]>https://forum.netgate.com/topic/116945/guest-access-deny-local-nets-allow-internetRSS for NodeFri, 15 May 2026 22:52:14 GMTWed, 14 Jun 2017 19:51:08 GMT60<![CDATA[Reply to Guest access - Deny Local Nets - Allow Internet on Thu, 15 Jun 2017 13:27:19 GMT]]>Thank you both  :)

/Bingo

]]>https://forum.netgate.com/post/705960https://forum.netgate.com/post/705960Thu, 15 Jun 2017 13:27:19 GMT<![CDATA[Reply to Guest access - Deny Local Nets - Allow Internet on Thu, 15 Jun 2017 07:54:46 GMT]]>Rules passing DHCP are automatically added to the rule set on any interface with a DHCP server enabled. They do not need to be explicitly added.

]]>https://forum.netgate.com/post/705906https://forum.netgate.com/post/705906Thu, 15 Jun 2017 07:54:46 GMT<![CDATA[Reply to Guest access - Deny Local Nets - Allow Internet on Thu, 15 Jun 2017 06:14:26 GMT]]>Don't touch the gateway, you'd only use it if you had mulpiple routers on the lan interface or dual wan links.

Leave as 'default' to use the system routing table. Or choose a gateway to utilize policy based routing.

DHCP would be broadcast traffic from the client to the server, so I think that's passed by default.

]]>https://forum.netgate.com/post/705898https://forum.netgate.com/post/705898Thu, 15 Jun 2017 06:14:26 GMT