Is this all possible with Pfsense?

  • Hi guys,

    I tested PFsense for a couple of weeks at home and really like all the functions, can't wait for the 1.0 release!
    I'd like to install a Soekris running Pfsense for a customer who has the folowing  needs

    he wants a lan and Wlan on different subnets. The Wlan is for customers, but sometimes for employees who must have acces to the lan also. Traffic shaping on the wlan side would be even better.

    I tried  a couple of hours ago a similar setup on my own soekris but apparently I forget something;I made a opt1 interface, enabled DHCP on it and added a firewall rule to allow all traffic out (same as default lan rule) but still I can't acces the net (the filter rules show blocked traffic to (default block rule), Do I have to specificly enable traffic from any to the Wlan NIC?

    What is the best way to have the above setup?

    write down all their wireless MAc's and putt them in the DHCP server of opt1 (Wlan interface) and assign them a sepparte addres and allow these clients acces to the lan?

    Another question: the Cable ISP inhere frequently changes DNS server so I have to use those assigned on the Wan interface , will dhcp clients on the opt1 interface use those DNS server automatically?


    wan: (cable modem) dhcp client
    lan:dhcp server
    Wlan:    ( is for "trusted" laptops who can acces the lan)

    Thanks in advance for your help and hints!

  • Trafficshaping on more than 2 Interface is not supported at the moment.

    Concerning your hometestsetup your firewallrule must be wrong somewhere as it doesn't match but get's blocked by the default block all. Please past it if you want to know what's wrong here.

    For the permitted wlanclients that should have access to lan you can either do it the way you described (mapping them static by DHCP and creating firewallrules) or you could use some sort of VPN that they have to use to access the lan. Then that traffic would even be encrypted. Remember that wlans always can be sniffed. It depends on how secure you need this to be.

    The changing DNS-Servers of your ISP should be no problem if you have "Allow DNS server list to be overridden by DHCP/PPP on WAN" at system>general enabled and your clients are using the dnsforwarder of the pfSense.

  • Hi Hoba,

    thank you very much for your reply, I'm starting to get frustrated because I can't fix it…I attached some screenshots from my home setup, the firewall rules these generate are:
    Oct 12 11:48:35  WlanDMZ  TCP
    Oct 12 11:48:35 WlanDMZ TCP
    Oct 12 11:48:35 WlanDMZ TCP
    Oct 12 11:48:35 WlanDMZ TCP
    Oct 12 11:48:35 WlanDMZ TCP
    Oct 12 11:48:35 WlanDMZ TCP
    Oct 12 11:48:35 WlanDMZ TCP
    Oct 12 11:48:35 WlanDMZ TCP
    Oct 12 11:48:35 WlanDMZ TCP
    Oct 12 11:48:31 WlanDMZ UDP
    Oct 12 11:48:31 WlanDMZ TCP
    Oct 12 11:48:30 WlanDMZ TCP
    Oct 12 11:48:27 WlanDMZ TCP
    Oct 12 11:48:27 WlanDMZ TCP
    Oct 12 11:48:25 WlanDMZ is my laptop is Wlan_DMZ interface is the LAN ip adress

    Thanks again for your help!

  • chance the ipadress of youre laptop is a broadcast adress
    a pc will use that ipadress if it has somthing to tell to all the clients on the network is the last ipadress you can use

  • Hi Jeroen,

    Thanks for the tip, I changed the range immediately to 254 and my new IP is
    and in the system logs I see this entry:  dhcpd: icmp_echorequest Operation not permitted

    Firewall logs:
    Oct 12 13:26:13  WlanDMZ  TCP
    Oct 12 13:26:13 WlanDMZ TCP
    Oct 12 13:26:12 WlanDMZ TCP
    Oct 12 13:26:12 WlanDMZ TCP
    Oct 12 13:26:12 WlanDMZ TCP
    Oct 12 13:26:12 WlanDMZ TCP
    Oct 12 13:26:12 WlanDMZ TCP
    Oct 12 13:26:12 WlanDMZ TCP
    Oct 12 13:26:12 WlanDMZ TCP

    If I click on the icon next to the blocked attempt:

    @78 block drop in log quick all label "Default block all just to be sure."

    My computer tries to connect to the WLanDMZ port of the soekris but is is blocked but I have a rule under WlanDMZ:

    TCP/UDP  WlanDMZ net  *  LAN address  53 (DNS)  *

    Could this be the problem; the Cable modem is bound to the first  MAC adress it finds (the Lan port of the Soekris) ? Just want to be sure but the blocked traffic to (WlanDMZ interface)…

    When I enter a static Ip (.200) and these rules (changed destination to WlanDMZ port instead of the Lan port, is the DMZ port)

    TCP/UDP  WlanDMZ net  *  Interface IP address  53 (DNS)  *

    *  WlanDMZ net  *  ! LAN net  *  *

    this traffic gets blocked:

    WlanDMZ  UDP
    Oct 12 13:42:50 WlanDMZ TCP
    Oct 12 13:42:50 WlanDMZ UDP
    Oct 12 13:42:50 WlanDMZ UDP
    Oct 12 13:42:49 WlanDMZ UDP
    Oct 12 13:42:49 WlanDMZ

    Very strange...

  • What version are we looking at here? Please paste the Versioninfo including builddate from status>system.

  • I'm running  1.0-RC3
    built on Mon Oct 2 01:43:47 UTC 2006

    I applied the 1.0-RC3a patch…

    I hope it's a bug, it's driving me nuts cause I can't figure this one out...  ???
    thanks for helping, I appreciate it!

  • Did you try to reboot? maybe the invalid broadcastadress you used mixed something up. Also upgrade b,c,d,e too. It works just fine here.

  • dhcpd: icmp_echorequest Operation not permitted

    for this you need a rule that alows icmp trafic
    Proto  Source  Port  Destination  Port  Gateway  Description
    tcp        WlanDMZ any  any                  icmp        default        ping rule

    make sure youre rules are in the corect order
    the first rule that matches wiil be caried out the rest is ignord

  • Hi guys, thanks for all the suggestions, after a reboot it started working  and I could surf the web immediately. There is one thing I do not understand, when I connect on the opt1 (wlanDMZ) interface I can still ping the lan network, but I have these rules, shouldn't the second rule block everything from the DMZ subnet entering the lan net?

    TCP/UDP  WlanDMZ net  *  Interface IP address  53 (DNS)  *  permit dns > wlan interface

    *  WlanDMZ net  *  ! LAN net  *  *  permit DMZ to any but LAN

  • the lanipadress the opt1 ipadress are excluded from rules so that you can never lock youre self out of youre pfsense server

    try pinging a pc on the lan network not the laninterface ip

  • Looks like we found a bug that under certain circumstances caused firewallrules to be not applied. This will be fixed in the next release (and is already fixed in cvs).

    Maybe it is the default antilockout rule like jeroen suspects. You can disable this at system>advanced but be careful to not log yourself out from webgui completely.

    Yes, this rule shouldn't permit traffic to LAN. However I usually use explicit blocks followed by a pass all for these kind of setups. If you add one more nic and want to block traffic to this subnet too you won't be able to define a rule like !LAN and !OPT2 for example.

  • Hi,

    not sure if it's the anti lockout rule, I have 2 network interface in my laptop, wired and wireless,when I plug in an ethernet cable my laptop wil use this connection, but 5 minutes ago whie testing I was connected with ethernet  and tried to ping a host in the LAn subnet, I guess the blocked pings over ethernet were sent again over wifi (lan subnet) so they did reach their destination, I guess the rules are OK now (screenshot)?

    thank god it was just simple user errors and a reboot to fix this, it was driving me nuts.

    Glad I can help my client with a pfSense firewall.

    to the devs;  thanks for such a wonderfull piece of software!

  • if you connect youre laptop by lan and by wireless then for 192.168.1.x ipadresses it will use the wireless connection
    and for 10.0.1.x ipadresses it will use the lan connection
    so to test if youre wireless rules work you need to disconect the lanconnection from youre laptop

  • just installed release 1.0 and made the same setup again in a couple of minutes, works perfect here! Thanks for all the help guys!

    @jeroen; are you dutch?

  • @mac  ja ik ben nederlander

  • @jeroen: ik ben van van België  :)

    I don't want to open en new topic for this; but my firewall logs are filled with probes from my ISP, it is possible to edit the default block rules in some way?

    I still want to see the blocked attempts, just want to skip al those things like

    ct 16 08:51:22 WAN IGMP
    Oct 16 08:51:22 WAN IGMP
    Oct 16 08:51:22 WAN IGMP
    Oct 16 08:51:22 WAN IGMP

    I tried adding a rule to block from any to and no logging but I can't move this rule to the top. Any suggestions to keep those entries away from my logs?

    I know I can disable logging fom the default block rules, but I still want to view the blocked attempt on other ports, just the stuff is filling my firewall logs….

  • At status>systemlogs, settings disable the default logging. Then add a block rule/block rules at WAN with a logging flag that only log the desired traffic.

Log in to reply