Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Secure firewall rules for guest access

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Tom7320
      last edited by

      Hello!

      I am quite new to pfSense so this might be a typical stupid newbie question, but I'm not sure, if it is correct and secure what I'm doing. I would be very happy, if you could tell me your opinion about my firewall question…  :)
      I have a private network at home that looks like this:

      
                                Internet
                                   |
                               WAN | dyn. IP
                            +–----+-------+
                            | Router       |
                            | (FRITZ!Box)  |
                            | NAT,DHCP,DNS |
                            +------+-------+
                               LAN | 192.168.0.1
                                   |
       +-------------+-------------+------------+------------+
       |             |             |            |            |
      PC1         Wifi AP          |           PC2          PC3
             (private network)     |
                               WAN | 192.168.0.5
                            +------+-------+
                            | pfSense      |       Wifi
                            | (pfsense)    |...  "guest"
                            | NAT,DHCP,DNS |    192.168.2.x
                            +--------------+
                             |            |
                             |            |
                             |            |
                            LAN          LAN
                        192.168.3.x  192.168.1.x
                        "neighbour"
      
      

      The 192.168.0.0/24 network is my private network. I would like to use pfSense to grant only internet access to the "neighbour" (192.168.3.0/24) and "guest" (192.168.2.0/24) networks. They must not have access to my private network. The Wifi network uses the Captive portal. My firewall rules look like this:

      The first rule seems to be necessary to answer DNS requests from my primary router 192.168.0.1.
      The second rule allows access to the Captive portal.
      The third rule allows only internet access without access to any private networks.
      CP is an alias for 192.168.2.1 (the Captive portal), PRIVATE means 192.168.0.0/16

      My questions are:

      • Do both networks really only reach the internet  and nothing else?

      • Is it secure this way?

      • Is it possible/necessary to restrict the firewall rules even more?

      • It took my quite a while to figure that out and looks complicated to me. Is it possible to simplify the set of rules?

      I'm looking forward for your comments!

      THX a lot!

      Tom

      1 Reply Last reply Reply Quote 0
      • Cry HavokC
        Cry Havok
        last edited by

        Generally you put the protected networks inside the untrusted networks, the way you've laid your network out is the wrong way around for this. You really should re-arrange your network to hang the private network off the pfSense firewall, possibly swapping it with the "neighbour" network.

        Your rules will allow anybody on the Wifi net access to port 53/UDP on any host (including the private network) - be aware that DNS uses TCP quite regularly and you must create a rule for that, or use your pfSense host as the DNS server for the Wifi net. They also allow TCP access to CP on port 8000 and any service on any network that isn't included in the PRIVATE alias (the PRIVATE alias includes the pfSense host).

        Obviously we can't say anything about the neighbour network since you didn't provide any rules relating to it.

        1 Reply Last reply Reply Quote 0
        • T
          Tom7320
          last edited by

          Hi!

          Thank you for your answer! I understand what you are saying. I must admit, that this was the fastest way to grant internet access for both wifi users and my neighbour. But you totally convinced me. I will re-arrange my network first. Unfortunately I'll have to keep my primary router for VOIP which makes everything a little bit more complicated… :-( Today I bought "pfSense - The Definitive Guide" and started reading. Hopefully it will clear things up a bit... Again thanks a lot for your comment!

          Regards,

          Tom

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.