Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to authorize only a source from LAN to use internet

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 617 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Dave07186D
      Dave07186
      last edited by

      Hello,
      I have 3 differents networks :

      • LAN
      • LAN B
      • LAN C

      I want to isolate LAN from LAN B and LAN C. I don't want LAN can reach LAN B and LAN C but I permits LAN B and LAN C to communicate to LAN.
      However, I want that LAN can communicate with internet. For example, to use mails, internet or other. I have only one machine in this network : 192.168.1.10. The gateway is 192.168.1.1.

      I created the firewall rule :
      db5828c4-040f-4983-a6f0-6a07fe37c093-image.png

      The packets are blocked, for example, I can't ping 1.1.1.1 or visit a website.
      If I set destination as any, I can ping 1.1.1.1 and reach internet. However, I can also ping other machines in LAN B or LAN C which is not I want.
      How to properly isolate this LAN from other and keep the ability to reach internet? I would like by default deny and only whitelist the traffic I want.
      Thanks in advance.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @Dave07186
        last edited by johnpoz

        @Dave07186 well 192.168.1.10 to 192.168.1.1 wouldn't be the "internet" that would be ANY.. public IP is quite large. That would be just pfsense IP I assume..

        if you do not want lan to talk to your other lans, then create a block rule to those networks.. Or use an alias for rfc1918.. I would allow your lan to talk to say 192.168.1.1 for dns, icmp, etc.

        here is example of locked down setting where - can not talk to any other network, since they are all rfc1918, but can talk to the internet

        rules.jpg

        So rules are evaluated top down, first rule to trigger wins..

        So can ping, dns and ntp to the pfsense IP 192.168.200.1/24 on this interface.

        Then any other traffic to ANY other pfsense IP is blocked.. you may or may not want such a rule on your lan, because take it your using stuff on your lan to manage pfsense? The anti-lockout rule.

        But that next rule that blocks anything to alias I call rfc1918 which contains 192.168/16, 10/8 and 172.16/12 all the rfc1918 space, so if you had another network say 192.168.3.0/24 lan would not be able to talk to it.

        But if client on the lan wanted to talk to say 8.8.8.8 it would be allowed by the last rule, Ie any, ie the internet.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        Dave07186D 1 Reply Last reply Reply Quote 1
        • Dave07186D
          Dave07186 @johnpoz
          last edited by

          @johnpoz Thanks for your explication, this is what I needed:
          0d01a7fd-a2c4-41ae-8126-4f24daf7f3af-image.png

          LAN can reach internet, all request to internal other LAN are blocked, except 192.168.2.0/24 which is what I need because of there is several internal applications.
          Problem solved.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @Dave07186
            last edited by johnpoz

            @Dave07186 said in How to authorize only a source from LAN to use internet:

            there is several internal applications

            You could make that rule more explicit - and only allow to the actual IPs in the 192.168.2/24 network, or even more explicit only to the specific IPs and ports these applications are using..

            The problem I see with those rules - but hey its up to you.. Is you do not even all ping to pfsense, which can be problematic in troubleshooting if you can not even ping your gateway to test for connectivity.

            And your rules do not allow for local dns, unless your running dns on the 192.168.2 network, or using external dns.. Normally you would allow asking pfsense for dns.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 1
            • A
              ASGR71
              last edited by

              I've had this problem... isolating subnets etc...
              This is a common issue with firewalls and you can find out how to do this in the documentation...
              https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/opt-lan.html
              It will give you a fully explanation than is possible in the forums.

              ;-)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.