PFSense VM, WAN LAN & OPT1



  • Im attaching an image of how I would like to layout my network at home. My modem is connected to my desktop onboard NIC. I have removed TCPIP protocols from the onboard NIC and am using a loopback adapter to connect to the WAN on my VM. My desktop is working great.

    I now want to connect my Laptop to my second NIC card on my desktop, and have it communicate with my desktop. But I do NOT want my laptop to be able to connect to the internet.

    WAN - internet address
    LAN - 192.168.1.1
    OPT1 - 192.168.2.1

    Now I will need to use a crossover cable between the laptop and the desktop. Setup DHCP on the OPT1 interface. Configure NAT to allow communication between X.X.1.1 and X.X.2.1. And setup appropriate firewall rules.

    This is where I get a little confused. I heard that OPT1 cannot communicate to LAN. But can communicate with WAN which in turn communicates with LAN. Is this correct? If so then my laptop will be able to access the internet. And I fail.

    Can I get OPT1 to communicate with LAN directly? Or will I need to have OPT1 communicate to WAN to get access to LAN? And can I add firewall rules to block OPT1 from the internet completely with this setup?

    I appreciate any help. Thanks.



  • Each network attached to an interface can communicate with each other as long as the firewall rules defined on the incoming interface permit it.

    There is no NAT needed for communication between the network. NAT is only needed for outgoing traffic to the internet, but that does pfsense automatically by default.

    Also by default the OPT network cannot access anything on other network, since there is no firewall rule on OPT allowing it.

    On LAN interface there is a default allow any to any rule. So you can get anywhere from devices connected to LAN.

    To if you want to access LAN from OPT1 (you may change the interface name) go the the OPT1 firewall rule tab and add a pass rule with protocol = any, source = OPT1 net, destination = LAN net, dest. ports = any.
    If you want you may restrict access to specific port or destination addresses.



  • Awesome! So I CAN get OPT1 to talk to LAN without going through WAN interface. That is great news. And no NAT to setup either. Fantastic.

    As you can tell. I'm new to all this. But I'm getting it figured out. Thanks for the help!



  • I deleted my posts, it was all fixed by disabling Windows Firewall.



  • So tonight I tried to start by splitting my lan traffic from my laptop traffic. I made two rules, to allow traffic for each connection. When they are enabled I can no longer access the internet. But if I have one rule to allow * network to * network, I have internet. Don't both previous rules together equal the same as the third alone?

    WORKS:

    DOES NOT WORK:

    Thanks.



  • No, WAN net is not the internet, it is only the subnet defined on the WAN interface. To get internet access you have to allow access to any.

    You may permit access to the internet and anywhere else but not to Laptop net by editing your third rule and check "invert" at destion and selecting "Laptop net".
    More secure against configurations failures would be to add a block rule for the Laptop net.

    For allowing internet access, but not access to internal network, I set an alias in Firewall > Aliases > IP which includes all RFC 1918 network and use this alias in the firewall rules at destination. That's useful if you have multiple internal networks and also matches if your network is growing up.



  • Good info, thanks. Gives me some direction. Still a lot to learn. I appreciate the help.