OPT Interface 4 in Watchguard 500

  • I have set up all of my interfaces in my 500x.  I would like to take opt 4 and which is a seperate vlan with it's on DHCP server and block all other interfaces from it with the exception of the Internet.  I looked in the forum and can't find any examples of this type of configuration.  Ultimately I would like to build a limited VPN tunnel from home to work on this isolated interface and be able to connect but have no access from any other subnet or vlan that is set up on my 500x.


  • Netgate Administrator

    I have something similar setup for my wifi interface.
    Devices connected to wifi can only access the internet and not any internal subnets.
    First I set an alias, I called it LOCAL as
    That covers all the IPs I'm using internally, you may have something different.
    Then I set a firewall rule on the wifi interface:
    Allow-tcp/udp-source: wifi subnet-destination:!LOCAL
    Then another:
    Allow-tcp/udp-source: wifi subnet-destination:Wifi Interface-port 53
    This allows local DNS forwarding.

    By default everything else is blocked.

    This doesn't stop other interfaces accessing devices on wifi though.