Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Rule for non-local network access (internet access only)

    Firewalling
    4
    5
    3.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wuffe
      last edited by

      Rule for non-local network access (internet access only)

      Some months ago I added another network adapter/interface to my pfsense install.
      The new interface was meant to be give internet access only - no access to the other segments of pfsense was alloved from this segment.

      Now I know that this is my own fault - but I just forgot to insert deny rules for access to some of the other segments and since the new segment was going to give access to the internet the last/bottom rule "allow anything to anything" kicked in and not only gave internet access but also access the segments that were not explicitly denied.

      This stupidity from my own hand made me think if there existed some kind of one-line-rule that would ONLY allow access to non-local networks ? meaning that only access to the internet was possible.

      Thanks in advance

      Kind regards Uffe

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        I use for such setups rules like in the attached screenshot:
        The alias "localnet" contains all my local subnets.

        rule.png
        rule.png_thumb

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • E
          evewes
          last edited by

          I made two alias, one with my static IP=192.168.1.0-19 and another with my dynamic ip 192.168.1.20-30.
          I put up a firewall rule that blocks alias dynamic IP to reach the alias static IP.
          It will not work they see static computers. Have i thought wrong?

          I should have put the wireless AP on OPT1 but the bridge makes the CP out of funcktion in 1.2.2 and earlier release, 
          for what i know from reading forum.

          1 Reply Last reply Reply Quote 0
          • G
            glued2
            last edited by

            I have a few VLANs 192.168.0.0/24, 192.168.8.0/24 192.168.10.0/24, so to allow traffic to the entire internet I simply say, where the source is any and the destination is not 192.168.0.0/16.
            (As others have suggested you could use aliases - but thats how I do it).

            HTH

            1 Reply Last reply Reply Quote 0
            • W
              wuffe
              last edited by

              Thx for your suggestions.

              The alias solution have been on my mind - but I was hoping that there was some kind of more "automatic" solution…

              As far as I know PF has a clear picture of the local network interfaces, its ip adresses and its subnets and hence I was hoping that some kind of dynamic PF table always would always reflect the local interfaces.

              Kind regards Uffe

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.