Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking traffic from/to other networks/interfaces

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 3 Posters 855 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      droidus
      last edited by

      I have two main ports on my pfsense router. 1 is for my primary, personal network. The other is for gaming. They have different IPs. For the gaming network, I just created a rule to block any traffic that goes outside of that defined network (reject - used invert match). Is this the proper way to do this, or is there a better way to do this?

      johnpozJ 1 Reply Last reply Reply Quote 0
      • H
        hieroglyph
        last edited by

        Depends on what you are trying to do.

        If you are trying to block devices on the gaming network from reaching anything outside of the gaming network, you want to make a rule that rejects all non-gaming network traffic. This would include traffic to the primary, personal network as well as rejecting traffic to the internet. The rule on the gaming network interface would look like this, "source - any, destination - not gaming network"

        If the goal is to prevent all devices on the gaming network from reaching the primary, personal network but device on the gaming network still have internet access, then you want to change the rule on the gaming network interface to "source - any, destination - primary, personal network".

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @droidus
          last edited by johnpoz

          @droidus said in Blocking traffic from/to other networks/interfaces:

          or is there a better way to do this?

          I have come to the conclusion that it is always best to be very explicit with your rules vs using ! or inverse rules.

          If your goal is to block your game network from going to lan network, then I would put in a explicit rule that says that.. Or use a rule that lists all the rfc1918 networks, etc.

          There can be some odd stuff that happens when there are vips and you use bang rules.. Also its easier to read the rules if your very explicit with them vs doing inverse stuff.

          Here is an example of a network that is locked down from going to any of the other local networks.

          explicit.jpg

          This network is allowed to ping pfsense, allowed to ask it for dns and ntp. But not allowed to talk to pfsense on any other port on any other interface (think gui or ssh for example). The this firewall alias is good because it includes your wan IP, which normally would be public and not included in the rfc1918 list, and it could change, etc. so the alias makes sure can not go to wan IP for access to say web gui, even if it changes.

          And then it is specifically blocked from taking to any other rfc1918 network (10/8,192.16/16 or 172.16/12)

          The last rule allows internet.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 1
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.