Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Specific IP accessing different subnet

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 2 Posters 431 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zkab
      last edited by

      I have 3 NICs and created WAN, LAN and OPT1 and called them RED (WAN), GREEN (LAN) and BLUE (OPT1).

      GREEN 192.168.1.0/24 and DHCP enabled
      BLUE 192.168.2.0/24 and DHCP enabled

      GREEN will be connected to desktops & server
      BLUE will be connected to Unifi APs

      Basically I want a rule that a specific ip (192.168.2.10) on BLUE has access to GREEN and the other way also
      that a specifik ip (192.168.1.15) on GREEN has access to BLUE.

      My problem was that I didn't get access to Internet from BLUE so I copied the ruels from GREEN -> BLUE and now
      connection works to Internet from BLUE.

      The next problem is Catch 22 … if I specify a rule on BLUE telling that 192.168.2.10 should access GREEN and
      place it on top - access to Internet will not be tested since first rule is OK ... and then I loose
      Internet connection.
      If I do the other way around the access to Internet will be OK and rule 192.168.2.10 access to GREEN will not
      be executed ...

      This is a logical loop ... is there a way to get Internet connection on BLUE without copying GREEN ruels as I did ?
      In that case this will solve my problem.
      red.png
      red.png_thumb
      green.png
      green.png_thumb
      blue.png
      blue.png_thumb
      nat.png
      nat.png_thumb

      1 Reply Last reply Reply Quote 0
      • Z
        zkab
        last edited by

        I saw on another post how this was solved so I created a rule for BLUE as in attached image.
        Should I add IPv6 also as additional rule … for the future ?

        rule.png
        rule.png_thumb

        1 Reply Last reply Reply Quote 0
        • Z
          zkab
          last edited by

          Forgot to mention that the original problem still remains (Catch 22) … how is that solved ... obviously not by firewall rules

          1 Reply Last reply Reply Quote 0
          • bingo600B
            bingo600
            last edited by

            A packet is processed on the first rule (line) that "matches"  , meaning first permit or deny that matches.
            This means the rules sequence (from top to bottom) is important.

            You (normally) make the filters on the "Input Lan" (Where the packet comes into the firewall) ,  not the Output lan.

            So you "Block Green , on the Green interface" , "Blue on the Blue interface etc …"

            There is a "Hidden Deny Anything to anywhere" at the bottom if every interface ruleset , so make sure to permit also the traffic to the internet (the * destination matches ANY ip address , and is used for accessing the internet) ...

            You would want to do this:

            
            Green rules
            
            Permit (Green Host) 192.168.1.15 to "Blue Net"     - Permits the specific host
            Deny  "Green Net" to "Blue Net"                             - Deny's all Green hosts to reach Blue net  (the one we allow is matched above)
            Permit "Green Net" to *                                         - Allow green to reach * aka internet
            
            Blue rules
            
            Permit (Blue Host)  192.168.2.10 to "Green Net)    - Permits the specific host
            Deny   "Blue Net"    to "Green Net"                         - Deny's all Blue hosts to reach Green net (the one we allow is matched above)
            Permit "Blue Net" to *                                            - Allow blue to reach * aka internet
            
            

            /Bingo

            If you find my answer useful - Please give the post a 👍 - "thumbs up"

            pfSense+ 23.05.1 (ZFS)

            QOTOM-Q355G4 Quad Lan.
            CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
            LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

            1 Reply Last reply Reply Quote 0
            • Z
              zkab
              last edited by

              Thanks for explaining … now I understand how I should do  :)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.