FW Rule to pass OPT3 to only WAN interface
-
HI folks.
I've got an SG-4860, and as the subject says, I'm having trouble creating a FW rule to pass traffic on my AP, on opt3, to only the WAN interface. Once I've got that, I'll fine tune to allow other clients to my server on opt1.
I've watched several udemy vids and searched unsuccessfully.
The rule I've got is pass, interface OPT3, IPV4, any protocol, source opt3 net, and for destination, only "any" passes traffic to the internet. I've tried changing the destination to wan net and PPPoE, but traffic hits the implicit deny.
The wan port is PPPoE, fi that matters.
I'd appreciate any advice, thanks. -
@cybernaut-0 WAN net is the subnet of the WAN interface, only. Any is any other. Try something like:
Allow opt net to pfSense opt port 53
Block opt net to LAN net
Block opt net to This Firewall (if shouldn’t access pfSense)
Allow opt net to any -
@steveits said in FW Rule to pass OPT3 to only WAN interface:
Allow opt net to pfSense opt port 53
Hi Steve. Thanks for the quick reply.
I don't follow allowing to pfSense opt port 53. pfsense isn't available as a destination.
I do have a rule allowing to my pihole on opt2, and when I don't have access to wan, I am able to ping that. -
@cybernaut-0 For dns, is all. Adjust as necessary. :)
-
OK, that seems to work. Thanks, Steve.
However, shouldn't my original rule to pass from OPT3 net to WAN net have worked as well? Am I not understanding something here?
Thanks,
Mike -
@cybernaut-0 "WAN Net" is the size of your WAN subnet, usually 254 IPs or less (a /24). Sometimes just a few or even just the one ISP gateway IP.
-
So, you're saying the entire WAN subnet, correct? In the case of PPPoE, it doesn't show it for me, /31 maybe?
Still, it should work assuming no rule on WAN interface is blocking it?Sorry if I'm being obtuse. Just trying to understand it.
-
@cybernaut-0 Allowing to WAN Net does not allow to anything that is not in WAN Net. Which is basically the entire internet.