Block Alias From Accessing LAN



  • I have one LAN and one WAN interface only in my PFSense setup. All my devices are receiving IPs from the LAN interface (all of them are in the 192.168.200.1/24 IP Range). I was wondering, is it possible to add some of these devices, for example 192.168.200.11 and 192.168.200.12, to an alias called "LANBlocked" and then allow the devices in LANBlocked Alias to access the internet, but not any other device on the LAN.

    So in other words, I want 192.168.200.11 and 192.168.200.12 to be able access the internet freely, but not any other devices, file shares and not even be able to ping any other devices on the LAN such as 192.168.200.15-192.168.200.27.

    Thanks in advance.

    JJ


  • Rebel Alliance

    Traffic between hosts on same subnet (your LAN) doesn't go through the GW (pfSense)



  • How can I achieve such segregation then? I want the IoT devices to not be able to access LAN but still be able to reach out to the internet. Is this even possible?



  • add another interface with a different subnet for the IOT devices and adjust firewall rules accordingly.



  • Golden rule : Never ever mix trusted and non trusted devices on a same network segment.
    That's why 'real' routers and firewalls have multiple NIC's, so you can define 'LAN' type multiple networks.


Log in to reply