Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Add New Interface for all my IoT devices and DMZ - no Internet access

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 4 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      luckyzor
      last edited by luckyzor

      Hello,

      I want to add 2 news interfaces DMZ and IoT.

      I've already added it but infortunatelly I can't have access to internet from this new's interfaces, neither from the LAN to this interfaces. don't know what to do now.

      c61bcdfd-a366-4850-ad77-818ac45f8cde-image.png

      5670b89b-4368-4f27-b4e1-5fe65f5f1008-image.png

      4767418e-1e52-4a39-9053-67130ba5d173-image.png

      f817e2c8-e050-4715-93bb-73bfcd2f498d-image.png

      can you please help me?

      Thank you

      1 Reply Last reply Reply Quote 0
      • M
        marvosa
        last edited by marvosa

        There are several things to look for, some of which are already in place:

        • Are there firewall rules in place allowing outbound traffic on the IoT and DMZ interface? Looks like it.

        • Are the hosts configured correctly?

          • Using PFsense as the default gateway?

          • Using the correct mask?

          • Have an IP in the correct subnet?

        • Is there a downstream L3 switch on the network?

        • Are you using Automatic outbound NAT or Manual Outbound NAT?

          • If using Manual Outbound NAT, did you add NATs for the two new subnets?
        • Are you using the Resolver with ACL's configured?

          • If so, did you configure an ACL to allow queries from the two new subnets?

        neither from the LAN to this interfaces. don't know what to do now.

        I believe this is working as intended as you have blocked the return traffic.

        You basically need to isolate whether there's actually a networking issue getting to the internet or if you're just having problems resolving DNS, then steer your troubleshooting accordingly.

        1 Reply Last reply Reply Quote 0
        • KOMK
          KOM
          last edited by

          https://doc.pfsense.org/index.php/Connectivity_Troubleshooting

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            It doesn't work from LAN because you're policy routing all that traffic via OpenVPN. You need a rule above that to pass traffic from LANnet to IoT or DMZ.

            There are no states/traffic showing on the pass rules on IoT or DMZ so nothing is trying to get out. Are devices on that interface even configured correctly?

            Steve

            1 Reply Last reply Reply Quote 0
            • L
              luckyzor
              last edited by

              @stephenw10 Can you help me creating that rule?

              not all my devices have the openvpn gateway, but I want to be able (from the devices with openvpn gateway) to access the others interfaces.

              Concerning the Nat outbound (Thank you for your help @marvosa ) it was on manual (tutorial to add nordvpn to pfsense, tells to pout it on manual) I put it on hybrid and now the devices without openvpn as gateway can "see" the others interfaces.

              Thanks for your help

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                It just needs to be a pass rule from source LANnet to destibation IoTnet and it needs to be above the "VPN hosts with VPN gateway" rule. If those "VPN hosts" need to reach the IoT subnet.

                Steve

                1 Reply Last reply Reply Quote 0
                • L
                  luckyzor
                  last edited by luckyzor

                  @stephenw10 Perfect :)
                  is this correct?
                  071af056-38ec-4af2-8877-ae9c0120ac66-image.png

                  Concerning the DMZ and iot interface, for security reasons do you think I need more then this rules??

                  03fdabff-4603-46a8-bf69-a21da3e59b79-image.png

                  I tried to block all and only allow access to internet, but I dind't manage to do it.

                  In the iot interface I want to create a rule to block some IP's to access internet too (only local, subnet access), can't find how to do it. Can you help me too?

                  Thanks a lot for your help

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    Unless you have other devices in the actual WAN subnet you need to reach you probably don't want that LANnet to WANnet rule in LAN.

                    If you want to allow access to only the internet from DMZ I would include pass rules for DMZnet to DMZ address for UDP port 53 and 123 to allow clients DNS and NTP access. Then a deny rule for destination 'This Firewall'.

                    That would prevent DMZ clients accessing the pfSense webgui and other services using the WAN IP.

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.