Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Configure filewall rules to allow traffic initiated from Lan to OPT1 but not visaversa

    Scheduled Pinned Locked Moved
    Firewalling
    4
    8
    562
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      munson
      last edited by

      I am a newbie (no more said). My LAN is 192.168.1.x /24 and my OPT1 is 192.168.165.x/24. I want to be able to initiate traffic from LAN to OPT1 but not OPT1 to LAN. LAN is my computer network and OPT is my IOT network. I tried the following:

      Rules (Drag to Change Order)
      States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
      2 /2.53 MiB

          • LAN Address 443
            80 * * Anti-Lockout Rule
            35 /15.99 MiB
            IPv4 * LAN net * OPT1IOT net * * none Default allow LAN to any rule
            0 /0 B
            IPv6 * LAN net * * * * none Default allow LAN IPv6 to any rule

      Edit Firewall Rule

      This does not seem to work.

      I can ping from the LAN to OPT1 but not from OPT1 to LAN
      Any suggestions?

      1 Reply Last reply Reply Quote 0
      • N
        netblues
        last edited by

        You need to post rules both from lan and opt1 interfaces to receive anything meaningfull

        1 Reply Last reply Reply Quote 0
        • W
          whitekalu
          last edited by

          I don't know about the pfSense firewall rules as I'm also a newbie with pfSense.
          If I were you and I felt that I have configured pfSense firewall correctly then I would check the firewall systems in client are blocking the ICMP Echo request.
          Just my cheap opinion.

          1 Reply Last reply Reply Quote 0
          • M
            munson
            last edited by

            Here are the rules
            ![alt text](WAN Rules.png OPT1IOTRules.png LAN Rules 2019-04-05 182156.png image url))

            I appreciate any help and advice you can prove

            1 Reply Last reply Reply Quote 0
            • M
              munson
              last edited by

              Here is the OPT1IOT interface setup.OPT1IOT Interface 2019-04-05 183648.png

              1 Reply Last reply Reply Quote 0
              • N
                netblues
                last edited by

                As far as pfsense is concerned all traffic is allowed on both interfaces.
                Additionally last two rules on lan won't match any traffic just because it already matches on the second from top.
                Check firewall settings on lan machines.

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by Derelict

                  You do not need to do anything on LAN. It has a default pass source LAN net to dest any.

                  On OPT1IOT you want to:

                  Pass source OPT1IOT net dest any pfSense-served connections they need like DNS
                  Reject source OPT1IOT net dest LAN net
                  Reject source OPT1IOT net dest This firewall (self)
                  Pass source OPT1IOT net dest any

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • M
                    munson
                    last edited by

                    Hi

                    Thanks for your quick response

                    @Derelict said in Configure filewall rules to allow traffic initiated from Lan to OPT1 but not visaversa:

                    On OPT1IOT you want to:
                    Pass source OPT1IOT net dest any pfSense-served connections they need like DNS

                    Do you mean this:

                    Pass source OPT1IOT net dest any pfSense-served connections they need like DNS.jpg

                    Reject source OPT1IOT net dest LAN net

                    Reject source OPT1IOT net dest LAN net
                    Do you mean this:
                    Reject source OPT1IOT net dest LAN net.jpg

                    Reject source OPT1IOT net dest This firewall (self)
                    Do you mean this:
                    Reject source OPT1IOT net dest LAN net.jpg
                    Pass source OPT1IOT net dest any
                    Do you mean this:
                    Pass source OPT1IOT net dest any.jpg

                    Thanks

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.