Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Guest access - Deny Local Nets - Allow Internet

    Firewalling
    3
    4
    717
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bingo600B
      bingo600
      last edited by

      Hello i'm a pfSense beginner , but have done Cisco Pix/ASA before.
      I'm not a firewall guru, but knows IP and 3-way handshakes etc.

      On my new Home network i have installed a pfSense Box , with several tagged vlans.
      I have set the pfSense up as DHCP Proxy , and DNS Resolver (both using my existing linux as DNS & DHCP forwarding)

      I'm trying out rules for the first time now , and have a a "Guest"  Vlan20 , where i would like to allow guests the following:

      1: Get DHCP,DNS & NTP from "This Firewall" (TFW)
      2: Deny all acces to my "Other Local Lans"
      3: Allow full access to the Internet

      The attached rules seems to work ok, but is there a more elegant way to do it.

      Rule 1: Permit Guest Vlan range - "Alias" UDP 53,67:68 and 123  - to TFW.
      Rule 2: Permit Guest Vlan range - IP * - to !Local-Lan "Alias"

      I still haven't gotten my head around the "Gateway" field in the rules yet.
      Could one use that for not accessing "Local_Lan"

      TIA
      /Bingo

      Ps:
      I think i got a DHCP ip address before i specifically allowed UDP 67:68 on the interface.
      Is this a special case , i mean id the DHCP Proxy IF's allowed wo. any rules.
      Or was my Linux test machine just reusing the last assignment ?

      Selection_2017061421:36:30.png
      Selection_2017061421:36:30.png_thumb

      If you find my answer useful - Please give the post a 👍 - "thumbs up"

      pfSense+ 23.05.1 (ZFS)

      QOTOM-Q355G4 Quad Lan.
      CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
      LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

      1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad
        last edited by

        Don't touch the gateway, you'd only use it if you had mulpiple routers on the lan interface or dual wan links.

        Leave as 'default' to use the system routing table. Or choose a gateway to utilize policy based routing.

        DHCP would be broadcast traffic from the client to the server, so I think that's passed by default.

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Rules passing DHCP are automatically added to the rule set on any interface with a DHCP server enabled. They do not need to be explicitly added.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • bingo600B
            bingo600
            last edited by

            Thank you both  :)

            /Bingo

            If you find my answer useful - Please give the post a 👍 - "thumbs up"

            pfSense+ 23.05.1 (ZFS)

            QOTOM-Q355G4 Quad Lan.
            CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
            LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.