1xwan, 3xlan, natting & firewall rules problems

  • Hi all, happy to be finally posting here after being a long-standing user of pfsense. Never got stuck before like I am now :)

    I have recently redone my installation on my APU-board at home and decided to move away from a bridged setup to 3 separate subnets in the hope to get better flow control and isolate certain devices.

    Network layout:

    Modem(bridged) -------- pfsense(lan1)-----pfsense(lan2)------pfsense(wlan)
                                    |                  |                |
                                    |                  |                |-- Several WLAN devices
                                    |                  |-- TV
                                    |                  |-- Mediacenter
                                    |--Main PC
                                    |--Other stuff

    LAN1 = 10.0.0.x/26 - - DHCP: range x.x.x.50–>x.x.x.60
    LAN2 = 10.0.1.x/26 - - DHCP: None
    WLAN = 10.0.2.x/26 - - DHCP: range x.x.x.10-->x.x.x.60

    Inbound PureNAT portforwarding (with autorules) was set up for making certain services available over the WAN, this works fine.

    Straight out of the box this already worked almost perfectly, except for that, for example, the NAS was not reachable from the WLAN subnet. All other devices like the printer ect, however, worked fine. Also, the problem was not the NAS itself as it was reachable from the WAN, from LAN2 and from inside LAN, just not from the WLANaddress.

    I solved this by adding the "outbound NAT" to hybrid, and creating the following manual rules:


    interface      | Source           | NAT Address 
    LAN1           |    | LAN1address
    LAN1           |    | LAN1address
    etc until all subnets have been crosslinked

    My (default) routes look like follows:

    default	        x.x.x.x      UGS	320976	1500  	re0	link#2	U	791211	1500	        re1	        link#2	UHS	0	        16384	lo0	link#3	U	181499	1500  	re2     	link#3	UHS	0	        16384	lo0	link#9	U	3629332	1500 	ath0_wlan0     	link#9	UHS	202678	16384	lo0   	link#8	UH	6642 	16384	lo0	

    Eureka, connections to everywhere are now possible :) not sure this was the right way to do it, but at least it works at which point the wife was happy to be able to browse Amazon again :D

    We now reach the point where I think I'm stuck: the firewall rules

    Starting at WLAN, just a few rules are on this interface, as I don't want to allow much incoming (unsolicited)traffic on this subnet:

    • lockout rule source:WLANnet –> destination WLANaddress port:443 https
    • source:WLANnet --> destination:WLANaddress port:53 DNS
    • source:WLANnet --> destination:any port:any

    This last rule makes my internet work, without it no WLAN device is able to access anything outside the subnet it's in. logical really.


    • this is also leaking traffic to the other subnets, for example on LAN1 I do not explicitly allow port 433 of the printer to be accessible, but as long as this "allow any" rule is active that service is reachable from inside the WLAN.

    I need to prolly change the way I think about this, who can point me in the right direction to reach the following goals:

    • always allow free traffic inside each subnet
    • not to allow crossover traffic to other subnets unless specifically specified
    • help packages find their way to the gateway without the help of "allow any"
    • VLAN is not an option as I use a couple of switches (1 per subnet) that won't support managed options

    What i'm trying to do here is probably not that hard, and I feel I'm close, however, i suspect I'm making a couple of logic thinking errors due to my limited networking knowledge. Any help = appreciated.

Log in to reply