Disney Circle on it's own subnet - New to pfSense and Vlans in general

  • I'm new to pfSense and Vlans. I'd been running ClearOS for a decade and made the switch to pfSense last night. The issue for me was wanting to isolate Disney's Circle (an ARP spoofer to log kid's network time) on it's own subnet.

    I set up a kids vlan and subnet with dhcp. It hands out addresses well and seems to work. It works a bit too well, as I can still ping the other subnets despite following a how o on isolating subnets on pfSense.

    My question is: How do I keep all traffic from the kid's subnet from getting to the other subnets while letting it see the internet? This seems like a common desire. As I said, I followed a how to on isolating subnets, but I can still ping the network, so I must be doing something wrong.

    Any help is appreciated

  • The rules on each interface are outgoing, so you have add block rules accordingly on the VLAN interface.

    If you're still having issues after you've added what you feel is correct, post your firewall rules.

  • I think I got it working. I'm showing you my FW rules to see if I'm missing something:

    The first gets to the internet
    The second allows access to the subnet
    The third prevents access outside the subnet


  • Glad it's working, however, you can omit the bottom two rules as one's unnecessary and the other is redundant.

    If we assume your "Private_IPv4" alias has the RFC 1918 private addresses in it, then all you need is the top line due to the implicit deny on the interface. The 2nd line is doing absolutely nothing since traffic destined within the same subnet does not traverse the firewall. The 3rd line is redundant and unnecessary because 1) the top line is only allowing internet traffic anyway and 2) traffic destined for the OPT2 net does not hit the firewall

    Also, I personally would make the top rule IPv4 only and then create a separate ruleset for IPv6 traffic.

  • @nycone said in Disney Circle on it's own subnet - New to pfSense and Vlans in general:


    The second rule needs changing from OPT2 net -> OPT2 net to OPT2 net -> OPT2 address or OPT2 net -> This Firewall

  • Thanks for the feedback. I'm reading the "book" on pfSense as I go. I'm starting to get the way it works.

Log in to reply