• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Isolate Guest and DMZ Networks

Scheduled Pinned Locked Moved Firewalling
12 Posts 3 Posters 927 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    Bambos
    last edited by May 31, 2021, 9:38 AM

    Hello everyone. I'm having hard time figuring out the firewall rules needed for each interface.

    1. what is the reccomended way of creating the Guest Network for pure internet access without limitations, but have isolation from the primary LAN and pfsense web interface.

    2. What is the reccomended way of creating a DMZ network using port forwards for some services. Again , no connection with other Lans, just internet.

    The Setup:

    192.168.1.0/24 default LAN, pfsense web gui - "secured". 192.168.1.1 default gateway.
    192.168.3.0/24 guest network - free internet - only internet - no access to LAN
    192.168.5.0/24 DMZ section - port forwarding from WAN on 192.168.5.5 , only internet.

    J 1 Reply Last reply May 31, 2021, 10:51 AM Reply Quote 0
    • J
      JKnott @Bambos
      last edited by May 31, 2021, 10:51 AM

      @bambos

      Here are my rules for my guest WiFi, which allow access only to the Internet and pinging the interface. You'll have to add appropriate rules for incoming traffic.

      f90ff9bd-55ad-4bfd-a976-169fd08b0c2d-image.png

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      B 1 Reply Last reply May 31, 2021, 12:10 PM Reply Quote 0
      • B
        Bambos @JKnott
        last edited by May 31, 2021, 12:10 PM

        @jknott Hello and thank you for your comment. Where is the rule that blocks access to your main LAN ?

        D J 2 Replies Last reply May 31, 2021, 12:20 PM Reply Quote 0
        • D
          Derelict LAYER 8 Netgate @Bambos
          last edited by May 31, 2021, 12:20 PM

          @bambos Screen Shot 2017-08-06 at 2.26.11 PM.png

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          B 2 Replies Last reply May 31, 2021, 1:08 PM Reply Quote 0
          • J
            JKnott @Bambos
            last edited by May 31, 2021, 12:49 PM

            @bambos said in Isolate Guest and DMZ Networks:

            @jknott Hello and thank you for your comment. Where is the rule that blocks access to your main LAN ?

            The 2nd & 3rd lines cover every possible address that might appear on any of my local LANs. One blocks all private addresses and the other all addresses within my IPv6 /56 prefix. For good measure, the 4th line blocks my WAN address on both IPv4 & IPv6. This leaves only pinging the interface, as specified in the 1st line and the last line allows access to the Internet.

            Also, you'll notice I use reject rather than block. This tells the device the connection is not allowed, which is faster than waiting for a block to time out. However, I use block on the WAN rules, so that port scanning will not reveal the existence of my firewall. I'm not worried if an attacker wastes time on a block, instead of a reject.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • B
              Bambos @Derelict
              last edited by May 31, 2021, 1:08 PM

              @derelict Does the last 2 rules ovveride the block rules above ?
              how is the evaluation ?
              what happent if a rule match ? is it executed and dropping the packet, or going top to bottom ?

              J 1 Reply Last reply May 31, 2021, 1:24 PM Reply Quote 0
              • J
                JKnott @Bambos
                last edited by May 31, 2021, 1:24 PM

                @bambos

                Rules are processed in order until a match is found. So, after blocking local LAN addresses and the WAN address, the only thing left for the last line to allow is the Internet. So, a connection to my LAN would be stopped by line 2 or 3 and never reach the last line. Likewise an attempt to connect to my WAN address would be stopped by line 4 and never reach the last line. However a ping to my guest LAN interface is matched by the 1st line and allowed. In this instance no other line is involved.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • B
                  Bambos @Derelict
                  last edited by May 31, 2021, 2:35 PM

                  @derelict Thank you so much, but from guest network i'm able to see the web interface of pfsense gui.

                  to my understanding , i can't block this because will loose connectivity and services because is acting also as gateway.... SO ?? does this mean i have to change the default port ? What do you think ?

                  J D 2 Replies Last reply May 31, 2021, 2:40 PM Reply Quote 0
                  • J
                    JKnott @Bambos
                    last edited by May 31, 2021, 2:40 PM

                    @bambos

                    That's not quite the way it works. When you have a packet going out to the Internet, the destination is whatever address out there, not the pfsense LAN address. Rules filter on source & destination addresses. Since a packet going to the Internet will not have that LAN address as destination, it won't be blocked. However, attempting to access pfsense will be.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    B 1 Reply Last reply Jun 2, 2021, 1:52 PM Reply Quote 0
                    • B
                      Bambos @JKnott
                      last edited by Jun 2, 2021, 1:52 PM

                      @jknott the antilockout rule is source : ANY, destination: LAN Address.
                      if i change this to source, LAN NET, does this going to restrict GuestLAN to see the pfsense gui on LAN ?

                      J 1 Reply Last reply Jun 2, 2021, 4:17 PM Reply Quote 0
                      • D
                        Derelict LAYER 8 Netgate @Bambos
                        last edited by Jun 2, 2021, 1:56 PM

                        @bambos said in Isolate Guest and DMZ Networks:

                        @derelict Thank you so much, but from guest network i'm able to see the web interface of pfsense gui.

                        Not if you block access to "This Firewall" as in that example you won't.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • J
                          JKnott @Bambos
                          last edited by Jun 2, 2021, 4:17 PM

                          @bambos

                          Blocking access to the interface will not block traffic passing through it, as the interface IP address does not appear in any packet passing through the router. Only if you use the interface address as the destination will it be blocked by a rule to block such access.

                          PfSense running on Qotom mini PC
                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                          UniFi AC-Lite access point

                          I haven't lost my mind. It's around here...somewhere...

                          1 Reply Last reply Reply Quote 0
                          1 out of 12
                          • First post
                            1/12
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                            This community forum collects and processes your personal information.
                            consent.not_received