• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Rule for non-local network access (internet access only)

Scheduled Pinned Locked Moved Firewalling
5 Posts 4 Posters 3.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • W
    wuffe
    last edited by Mar 18, 2009, 2:00 AM

    Rule for non-local network access (internet access only)

    Some months ago I added another network adapter/interface to my pfsense install.
    The new interface was meant to be give internet access only - no access to the other segments of pfsense was alloved from this segment.

    Now I know that this is my own fault - but I just forgot to insert deny rules for access to some of the other segments and since the new segment was going to give access to the internet the last/bottom rule "allow anything to anything" kicked in and not only gave internet access but also access the segments that were not explicitly denied.

    This stupidity from my own hand made me think if there existed some kind of one-line-rule that would ONLY allow access to non-local networks ? meaning that only access to the internet was possible.

    Thanks in advance

    Kind regards Uffe

    1 Reply Last reply Reply Quote 0
    • G
      GruensFroeschli
      last edited by Mar 18, 2009, 7:11 AM

      I use for such setups rules like in the attached screenshot:
      The alias "localnet" contains all my local subnets.

      rule.png
      rule.png_thumb

      We do what we must, because we can.

      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

      1 Reply Last reply Reply Quote 0
      • E
        evewes
        last edited by Mar 18, 2009, 2:15 PM

        I made two alias, one with my static IP=192.168.1.0-19 and another with my dynamic ip 192.168.1.20-30.
        I put up a firewall rule that blocks alias dynamic IP to reach the alias static IP.
        It will not work they see static computers. Have i thought wrong?

        I should have put the wireless AP on OPT1 but the bridge makes the CP out of funcktion in 1.2.2 and earlier release, 
        for what i know from reading forum.

        1 Reply Last reply Reply Quote 0
        • G
          glued2
          last edited by Mar 18, 2009, 4:39 PM

          I have a few VLANs 192.168.0.0/24, 192.168.8.0/24 192.168.10.0/24, so to allow traffic to the entire internet I simply say, where the source is any and the destination is not 192.168.0.0/16.
          (As others have suggested you could use aliases - but thats how I do it).

          HTH

          1 Reply Last reply Reply Quote 0
          • W
            wuffe
            last edited by Mar 18, 2009, 7:34 PM

            Thx for your suggestions.

            The alias solution have been on my mind - but I was hoping that there was some kind of more "automatic" solution…

            As far as I know PF has a clear picture of the local network interfaces, its ip adresses and its subnets and hence I was hoping that some kind of dynamic PF table always would always reflect the local interfaces.

            Kind regards Uffe

            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received