Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Isolating wireless devices with firewall rules while using a private DNS server

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 4 Posters 302 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sierrastar
      last edited by

      I am trying to figure out a way to block traffic between devices on my wireless network from each other and my network hardware and PCs on my wired network. I tried the recommended firewall ruling in the pfSense documentation, using the RFC1918 rule, but I am currently using a pihole as my upstream DNS server and that has a private IP address assigned, which prevents my wireless devices from accessing anything through DNS.

      I thought that if I put another rule above the RFC1918 rule it would override the latter and let traffic through from the one private IP assigned to the pihole, but it seems that no matter where I stick the RFC1918 rule it takes precedence and locks it all down.

      Is there a way to set the firewall to block all traffic from private addresses except for a specified address? Or am I possibly going about this completely wrong? I just want to be able to quarantine devices but allow them to access the internet, and still be able to filter their traffic through the pihole.

      Please help.

      E GertjanG Bob.DigB 3 Replies Last reply Reply Quote 0
      • E
        Euman @sierrastar
        last edited by

        @sierrastar writes: "set the firewall to block all traffic from private addresses except for a specified address"

        This sounds like you need to invest in a managed switch so you can have vLan's w/ tags and use the built-in unbound dns,
        Use firewall aliases that could essentially eliminate the need for an upstream pihole..
        I use separate aliases for DNS & NTP (each having NAT to localhost, for the pesky IoT's / tv's that want to use specific DNS)
        So allow in/out only to/from chosen secure DNS & NTP servers of my choice.

        Hopefully helpful

        S 1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @sierrastar
          last edited by

          @sierrastar

          On the AP side : Most AP have that option build in : it's called "AP Isolation".
          On the client side : that's what 'public' network mode is all about on a Microsoft OS.

          Btw : the enforcement is done with firewall rules that uses the MAC address. Not the IP.

          You can not block traffic between devices - on the same LAN - with pfSense.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • S
            sierrastar @Euman
            last edited by

            @Euman

            It's funny because I got a managed switch specifically to set up VLANs for this purpose, but somewhere along the way I got it in my head that it wasn't the best option for this.
            I can only assume you mean that I should separate the relevant parts of the network into their own VLAN and manage their firewalls separately which seems like a good thread to follow.
            Thank you for pointing me in the right direction!

            E 1 Reply Last reply Reply Quote 0
            • E
              Euman @sierrastar
              last edited by

              @sierrastar you're welcome

              [steps I followed]

              one line out of LAN to Managed Switch that is connected to your devices

              on switch setup devices w/ tagged ID'S (carefully read about the switch. it's security, mirroring, tap, QOS, etc.)
              on pfsense LAN setup vLan's for the devices you connected using the tags you create at the switch.
              each device is now separate and can be firewalled individually.

              at the general setup page ->DNS Servers: address=1.1.1.1 hostname=cloudflare-dns.com or use your own
              create an alias named "dns_allowed" add the dns you want to use, e.g: 1.1.1.1
              create a redirected port forwarded NAT -> https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

              setup unbound
              (in unbound, I use TLS personally (port 883), forwarding, certificate generation and other are required)
              https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-config.html

              create firewall rules per vLAN (note vLAN's can contain just one or multi-devices)
              make sure to add the port forwarded NAT rule above your DNS rules.

              seems like a lot but it's not really, best of luck!

              1 Reply Last reply Reply Quote 0
              • Bob.DigB
                Bob.Dig LAYER 8 @sierrastar
                last edited by Bob.Dig

                @sierrastar said in Isolating wireless devices with firewall rules while using a private DNS server:

                Is there a way to set the firewall to block all traffic from private addresses except for a specified address? Or am I possibly going about this completely wrong? I just want to be able to quarantine devices but allow them to access the internet, and still be able to filter their traffic through the pihole.

                With pfSense you don't block from *-addresses but to *-addresses for the most part, so I guess you have a problem with your rules to begin with.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.