Isolate device from LAN but allow WAN access

patrickdickey52761 · Sep 28, 2024, 2:49 PM

Hi, everyone,

My question is similar to https://forum.netgate.com/topic/129401/best-way-to-isolate-an-ip-from-everything-but-the-internet/23 but a bit different. I run a mesh network and have to set it as a subnetwork from my home. The router controlling it will have the IP Address of 192.168.2.6. I want to block it from accessing anything on my LAN (192.168.2.x) but still allow it WAN access (through 192.168.2.1).
Would this be as simple as creating a firewall rule for the specific IP Address and denying access to LAN Segment and then a rule for the same IP Address and allowing Any? I don't want to mess with VLANS or anything like that, if I can avoid them.

Thank you.

Have a great weekend. :)
Patrick.

viragomann · Sep 28, 2024, 3:10 PM

@patrickdickey52761
No way, when keeping this set up. You would have to separate the wifi router from the LAN to control its traffic on pfSense.

In your current set up, traffic from the wifi devices passes the router, which has the other leg in the LAN network. Traffic destined to any LAN device will go directly from the router to the destination device, but not pass pfSense. Hence pfSense cannot do anything to block it.

So yeah, a VLAN between pfSense and the wifi router could be a way to separate the network. Then you can allow upstream traffic on this interface and block anything else.
However, consider to allow also access to DNS port if pfSense is your server.