Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Simplest way to block OPT1 accessing LAN yet allow 2 devices on OPT1 access

    Firewalling
    3
    4
    387
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yea last edited by

      Hi

      I have OPT1 connected to an AP on 172.20.1.x
      I have LAN on 192.168.0.x

      I want to block all on OPT1 accessing the LAN net, except for 2 devices which should only be able to connect to one IP on the LAN net and to a specific port.

      1. I have created a rule on OPT1 blocking OPT1 net from accessing LAN net.

      2. I also have another rule on OPT1 saying "alias of the 2 devices on OPT1" allow "LAN device ip alias" "LAN device port alias".

      Can I order the rules in such a way as to block all traffic to LAN (1), and have my other rule (2) work? Or does the block rule overrule the allow rule?

      If not, is there a simple way to achieve what I'm after?

      Hope that all makes sense.

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned last edited by

        Rules are top down, first match wins.

        1 Reply Last reply Reply Quote 0
        • johnpoz
          johnpoz LAYER 8 Global Moderator last edited by

          Post up your rules on your opt interface.. But dok is correct rules are evaluated as traffic enters an interface.  Top down, first rule to trigger wins no other rules are evaluated.

          If you need a picture I can post..  But this is really drop dead simple.

          If your top rule on opt is block, then your 2nd rule to allow would never be evaluated.  Put your rule above that allows your specific IPs to go to lan, then below put your block if you want.  Since there is a default deny there really is no need for the block rule at all.  All interfaces have a default deny (not shown in the gui) that would block all traffic that is not allowed.

          1 Reply Last reply Reply Quote 0
          • Y
            yea last edited by

            I apologise for the late reply, but your help has been very useful.

            Thank you :)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post

            Products

            • Platform Overview
            • TNSR
            • pfSense
            • Appliances

            Services

            • Training
            • Professional Services

            Support

            • Subscription Plans
            • Contact Support
            • Product Lifecycle
            • Documentation

            News

            • Media Coverage
            • Press
            • Events

            Resources

            • Blog
            • FAQ
            • Find a Partner
            • Resource Library
            • Security Information

            Company

            • About Us
            • Careers
            • Partners
            • Contact Us
            • Legal
            Our Mission

            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

            Subscribe to our Newsletter

            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

            © 2021 Rubicon Communications, LLC | Privacy Policy