Allow only Internet (WAN)

  • Hi

    I have a pfSense box up and running and would like to enable one interface (GUEST) for guest clients who can only access internet (WAN).
    I have already have LAN and DMZ configured.
    What rules are required to accomplish this? I tried to set destination to "WAN address" without any succes.



  • If you already have a DMZ then use those rules as a template.

  • 1. Create an alias with the LAN and DMZ subnets.
    2. Create a firewall rule on the GUEST interface to pass from GUEST subnet to NOT [alias].

    If your LAN and DMZ are both in private address space then you can just create your alias in step 1 to include all RFC1918 networks, which is something you should not be routing to the internet anyway.

  • clarknova, this sounds very promising, thank you for the hint.
    I will try it tomorrow and post back here.


  • The following rules on the interface GUEST worked for me:

    Block GUEST -> DMZ
    Block GUEST -> LAN
    Pass Guest -> *

Log in to reply