Firewall Rules for routing Internet between two VLANS



  • Hey guys,
    i have just installed pfSense on a virtual machine whith two lan interfaces.
    LAN1 (192.168.2.x) is my private Network that is also connected to the internet via a standard DSL-Router that also provides DHCP adresses.
    Lan2(192.168.1.x) is a separate guest network which should only be able to connect to the internet. No devices on lan 1 except the router should be visible and accessible

    Internet – DSL-Router + DHCP Server ---LAN1 --PF-Sense Firewall with filtering--LAN2--Guest PC

    I already set up the two networks but now I have no idea how to accomplish the filtering task.

    Thanks in advance!
    Johnny



  • Hi guys,
    finally figured out how to do this…just setting the lan1 as gateway and blocking any traffic comming to interface lan2 with destination lan1.



  • I went over my fw rules again and must have understood something wrong concerning rule processing. On my lan2 interface (Guest) I block anything going to the lan1 interface (Home) which is also my WAN. Anything gets blocked as expected and devices on lan2 cannot access lan1 (and internet).
    When I add another rule on the lan2  interface (allow all comming form the interface and going anywhere) lan2 can access internet, even if this rule comes AFTER the block rule.
    Is this because I defined a device on my lan1 (home) net as the default gateway? Here is a screenshot from my guest rules:

    http://imgur.com/7P3lcJf


  • LAYER 8 Global Moderator

    "I block anything going to the lan1 interface (Home) which is also my WAN."

    What?  So you have stuff on this lan 1 (wan) that is the network connected to your dsl router.

    Wan or lan 1 or home in your setup is not the internet.. It is only the wan network.. It has nothing to do with the internet.. It is just the transit network from pfsense to your internet router.

    BTW calling it lan 1 is confusing.

    What is it your wanting to block exactly?

    Rules are evaluated top down, first rule to trigger wins - no other rules are evaluated as traffic enters a interface towards pfsense.  Yes your rules as posted would allow your lan 2 and would block any access to your pfsense wan network or home net in your case.



  • @johnpoz:

    "I block anything going to the lan1 interface (Home) which is also my WAN."

    What?  So you have stuff on this lan 1 (wan) that is the network connected to your dsl router.

    Exactly…
    @johnpoz:

    Wan or lan 1 or home in your setup is not the internet.. It is only the wan network.. It has nothing to do with the internet.. It is just the transit network from pfsense to your internet router.

    I understand that but what I do not understand is why i still can access the internet from a device in lan2 when I block any traffic for this interface with destination lan1 (or wan as you would call it)

    @johnpoz:

    What is it your wanting to block exactly?

    I want to block any access from lan2 devices to lan1 devices except internet access.
    @johnpoz:

    Rules are evaluated top down, first rule to trigger wins - no other rules are evaluated as traffic enters a interface towards pfsense.  Yes your rules as posted would allow your lan 2 and would block any access to your pfsense wan network or home net in your case.

    What exactly do you mean with "allow your lan2"? When the rules are processed any traffic going to the wan network is blocked. When I enable the second rule (allow acces) I can access the internet from lan2 which is strange because I blocked that before. I thought I had to create a rule that allows connections to my device that provides the default gateway and put this rule at the very top
    Edit: Added a drawing of the networks
    https://picload.org/view/rwdplcgi/skizze.jpg.html


  • LAYER 8 Global Moderator

    "lan2 when I block any traffic for this interface with destination lan1 (or wan as you would call it)"

    Because your not going to that lan1 when your going to the internet now are you!!!  That "net" is "LAN1 (192.168.2.x)"  That is ALL it is.. is 8.8.8.9 on that network?  is www.pfsense.org (208.123.73.69) on that network?

    WAN net or your case lan1 is not the internet.. it is just an network like any other network…


Log in to reply