Unable to restict LAN interface

  • I feel really stupid having to ask this since it is actually a pretty forward situation:

    I have a pfsense routing between two public subnets. NAT is disabled of course and everything works fine. Now I want to restrict any traffic directed to the LAN and WAN interfaces, so that pfSense routes everything from WAN to LAN (which are both public and equaly untrustworthy) and vice versa. The only way to connect to the WebGUI shall be through VPN.

    I disabled WebGUI Anti-Logout, configured the VPN and applied only these Firewall rules:

    Proto: *, Source: , Port: , Destination: !LAN address, Port:, Gateway:

    Block RFC 1918
    Block Bogon
    Proto: *, Source: , Port: , Destination: !WAN address, Port:, Gateway:

    Proto: *, Source, Port: , Destination: , Port:, Gateway:

    Thats it. On both interfaces everything that is not for the firewall itself should pass.Everything else is to be tossed by the default deny rule. This works like a charm for the WAN Interface, but not for the LAN Interface.

    Am I missing anything?

  • Are you using DNS forwarding? If so, LAN clients will need access to port 53 of the LAN address.

Log in to reply