Allow Any Any question regarding guest network

wgstarks

I want anyone using the guest network to be able to access the internet. I thought that that would be the same as WAN but allowing access to WAN didn’t work.

Do I also need to create a rule to allow access to NTP provided by pfsense?

SteveITS

@wgstarks "WAN network" is the network of the pfSense WAN interface. the /29 or /24 or whatever it is.

Since you don't know what IPs they will access out in the world, it's normal to allow access to "any." So:

• allow what you want to allow (e.g. guest to VLAN1003_GUEST Address for DNS, NTP)
• block what you want to block (e.g. guest to This Firewall, guest to LAN)
• allow to any

The rules are processed in order top down.

wgstarks

@SteveITS
Block rules on top right and then the pass rules?

SteveITS

@wgstarks I don't know, it depends.

https://docs.netgate.com/pfsense/en/latest/solutions/netgate-4200/opt-lan.html#apply-changes

wgstarks

@SteveITS
Thanks for all your help. I think I've finally gotten, or at least I'm getting close.

Here is the current rules-

I used the LOCAL_SUBNETS alias because I already had it setup. I think it's the same as RFC 1918-

If you see any problems or anything I've missed please let me know.

Gertjan

@wgstarks

Suggestion : like your first rule : local (VLAN1003_GUEST) devices are allowed to use the local (pfSense) DNS.
You could add also NTP (port 123 UDP) so devices can use pfSense to sync their time, if they want to.

wgstarks

@Gertjan
Done thanks.