Guest Network Firewall Rules



  • I have pfSense (in a VM) installed and I have set up my LAN interface to have an IP address of 17.2.39.1. I also have a VLAN setup which uses 20 for the tag and is called GUESTWIFI in pfSense. I have a Unifi AP and Controller on the network. The AP has an address of 17.2.39.12. The GUESTWIFI has an IP of 17.2.37.1 and both the LAN and GUESTWIFI have DHCP servers configured. I am able to access the internet and local resources either by IP or hostname on either network.

    Now I want to limit the GUESTWIFI or in other words, VLAN20 to only be allowed to access the internet and specified local resources that will be accessed via a hostname such as media.domain.local. that hostname is set in pfSense as a DNS override and points to a reverse proxy server I have set up at 17.2.39.112 as this allows me to use SSL certificates from LetsEcrypt and also hide port number as my media server does not use port 80 or 443.

    I have set up a rule to block access to the LAN net but have not been able to allow access to the specific resources that I want to.



  • Rule order is important. Please post a screencap of your firewall rules for GUESTWIFI. Also list what resources you can't access from where.



  • Screenshot from 2019-08-20 17-53-55.png

    I did some configuring and I was able to block all local resources then I went and added a rule to allow a NAS storage box which is working but when I add the top rule which aliases a hostname it allows more than just that hostname to be accessed. I assume this is because I am using a reverse proxy.



  • Do the hostname(s) in the alias resolve to private IP space or your WAN address (or VIPs)?

    Also, why are you using public IP space for your LANs? 17.0.0.0/8 is owned by Apple, I believe.


  • LAYER 8 Netgate

    You are passing and blocking TCP only.

    Screen Shot 2016-06-18 at 9.34.20 PM.png



  • They resolve to a private IP. which is an Nginx server setup as a reverse proxy, which then accesses the server the service is running on. For example, the media server runs on 17.2.39.186 and uses port 8096. The reverse proxy is at 17.2.39.112 and redirects to the media server. This allows me to use SSL on all internal sites and also hide port numbers for a cleaner look.

    Derelict - Ill change to any protocol vs just TCP



  • Now your actual problem is that you say you can access more than just that hostname. If you can get to the proxy then what happens after that is the proxy's concern. pfSense just relays the packets between the networks. Can you give an example of what you mean and what happens?



  • So, for instance, I want to allow my roommate to watch videos from the media server but they should not have access to my mail server which is at mail.local.domain.

    I am not sure if setting up a Split DNS is the key and have 2 separate reverse proxies setup is the answer or how I would go about limiting access to other hostnames that are reverse proxied.

    when I added the rule to allow media.local.domain it allowed that through but also mail.local.domain which both runs to the same reverse proxy



  • I guess you have to have some way via proxy config to limit his access to destinations based on the clients IP address. pfSense has no knowledge of domains and URLs, just IP addresses and packets.


  • LAYER 8 Netgate

    You will need to do that in access lists on the proxies.

    pfSense can filter on IP addresses, not host names in an HTTP session.



  • Thanks, Derelict I will look into how those are configured later this week.



  • I had a chance to test out access lists in Nginx and it worked perfectly, I added a deny line to the configuration for that particular domain/subdomain and it was blocked for the specified network. The next question I have though it the best way to set up the firewall rule in pfSense

    I created a rule to allow access to the NAS system I have that is located at 17.2.39.32 and that works but when I add a rule that uses an alias it only allows access when a subdomain is used that goes to that proxy server such as movies.local.domain. when I just use domain.local or the IP address (17.2.39.112) of the reverse proxy it still gets blocked by pfSense. Should I just make a subdomain of guestnetwork.local.domain and have it goto the reverse proxy that just redirects to the main site for that proxy so that I can get control access from within Nginx?


Log in to reply