pfSense firewall rule to block WAN (Internet) access

  • Hi PfSense Folk - pretty new here.

    I have Windows Servers machines in a VLAN called VLAN2100_WINSRV and I need to have them to access neighboring VLANS but not get out to the internet.

    I have tried this (and lots of others options) but nothing is working. enter image description here I simply need to block internet access and allow all other access.

    Protocol | Source | Port | Destination | Port | Gateway | Queue
    IPv4 * | VLAN2100_WINSRV net | * | !WAN net | * | * | none

    From how I understand this rule to work all access except WAN network should be Allowed.

    Help appreciated !

  • WAN net is only the subnet configured on WAN interface.
    Presumably, you have only RFC 1918 networks inside you network, it's the best way to add an alias (Firewall > Alias > IPs) and add all RFC 1918 networks to it. Then use this alias as destination in a pass rule on the appropriate interface to allow only access to internal networks.

  • Actually, WAN net would be just the subnet from your ISP, and only that subnet. So anything not in that subnet - namely, the rest of the internet - would still work.

    You would want to create an allow rule for each of your other VLAN networks, then a more global rule to block any, and put that block rule after your other allow rules.

  • Netgate Administrator

    The default block rule should take care of that. Just allow only the traffic you want everything else will be blocked.

    Yes, it's better to use the narrowest allow rules you can to void ever accidentally allowing access to something you didn't want to.


Log in to reply