Guest access - Deny Local Nets - Allow Internet

  • Hello i'm a pfSense beginner , but have done Cisco Pix/ASA before.
    I'm not a firewall guru, but knows IP and 3-way handshakes etc.

    On my new Home network i have installed a pfSense Box , with several tagged vlans.
    I have set the pfSense up as DHCP Proxy , and DNS Resolver (both using my existing linux as DNS & DHCP forwarding)

    I'm trying out rules for the first time now , and have a a "Guest"  Vlan20 , where i would like to allow guests the following:

    1: Get DHCP,DNS & NTP from "This Firewall" (TFW)
    2: Deny all acces to my "Other Local Lans"
    3: Allow full access to the Internet

    The attached rules seems to work ok, but is there a more elegant way to do it.

    Rule 1: Permit Guest Vlan range - "Alias" UDP 53,67:68 and 123  - to TFW.
    Rule 2: Permit Guest Vlan range - IP * - to !Local-Lan "Alias"

    I still haven't gotten my head around the "Gateway" field in the rules yet.
    Could one use that for not accessing "Local_Lan"


    I think i got a DHCP ip address before i specifically allowed UDP 67:68 on the interface.
    Is this a special case , i mean id the DHCP Proxy IF's allowed wo. any rules.
    Or was my Linux test machine just reusing the last assignment ?

  • Don't touch the gateway, you'd only use it if you had mulpiple routers on the lan interface or dual wan links.

    Leave as 'default' to use the system routing table. Or choose a gateway to utilize policy based routing.

    DHCP would be broadcast traffic from the client to the server, so I think that's passed by default.

  • LAYER 8 Netgate

    Rules passing DHCP are automatically added to the rule set on any interface with a DHCP server enabled. They do not need to be explicitly added.

  • Thank you both  :)


Log in to reply