Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Change Default Rule for DEV Environment - stop internet access

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 460 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      remi170289
      last edited by

      Hi,

      I have one Pfsense with 4 interface:
      -PROD
      -LAB
      -DEV
      -WAN

      For example, i want to block access for the DEV environment to the PROD environment.
      Actually, I have a simple rule (like default): DEV to *
      But if I change "DEV to * "  and replace by "DEV to WAN", my Internet access has stopped in a DEV machine..
      I don't understand why.. It's really simple, I just want to be sure that the DEV can't access to PROD but only to Internet (WAN).

      Do you know why it's not working if I change this parameter?

      Thanks you

      1 Reply Last reply Reply Quote 0
      • KOMK Offline
        KOM
        last edited by

        Add some block rules above your Allow DEV to * rule.  Block DEV to LAB.  Block DEV to LAN.  That's one way to do it.

        1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator
          last edited by

          Dev to wan net or address would be just that dev to whatever the wan net or address is.  That is not the internet that is just the network your wan is connected too… Just like your lan net is say 192.168.1.0/24  your wan net might be say 1.2.3.0/21 or something

          If you do not want dev to goto prod then block/reject dev to prod net above your default any any allow rule.

          Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.

          Keep in mind that any states that already exist would still be allowed...  So if say dev talked to box in prod, and then you added the block rule that dev box would still be able to use the session it had created before you put in the rule.  Unless you flush that state or close that connection on either of the devices so the state is closed on pfsense.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

          1 Reply Last reply Reply Quote 0
          • R Offline
            remi170289
            last edited by

            Perfect, it's working with a block above my rule DEV to *!

            Thanks you very much  :)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.