What type of Rules should I be considering? Basic Setup

  • Hi…

    I have a basic SOHO setup and was wondering if anyone can give me some advice about firewall rules?

    • I have blocked traffic from Guest Wireless to LAN.

    • Including the above - what other rules do I need on Guest Wireless?

    • How do I block admin webgui access on Guest Wireless segment?

    • How do I block admin webgui AP access on Guest Wireless segment?

    • What other rules should I be considering with this setup?

    Best Regards;

  • I'd setup with four interfaces(none of those wireless) and i had admin access only from lan and wan, because i set aliases for those and denied access from opt1/2 to those aliases. Hopefully i wasn't too cryptic

  • Metu…

    I will try and follow you...

    • So, if I am following you set up 4 ports for wan/lan

    • two of which will be alias names for re0 & re1 running on re2 & re3

    • Admin will only have access to the re0 (WAN) & re1(LAN).

    How will I setup the rule then?
    I like this and it seems to add another level of security - can you assist?
    I will attempt this on my test box and walk through your process to see if I can stumble through this.
    Do you think I should just not implement the Guest Wireless as a security issue?
    I am currently using complex pass-phrase with high port number on admin gui.

    Thank you…


  • I might be able to guide you through but, i'm not currently having a box. i'll make virtual one tonight to check proper configs

  • @Metu69salemi:

    I might be able to guide you through but, i'm not currently having a box. i'll make virtual one tonight to check proper configs

    I would be interested in following this… if you have the time... That would be great...
    I will also try and set this up on my 2nd test box once I get it repaired - having a hardware issue at the moment.

    Thank you and Best Regards;


  • I have used a setup similar to yours at many customers/my own home.  When it comes down to the rule sets, it's actually quite easy.  Using aliases makes the rules easier.

    Sorry, if the way it shows up for me is confusing a bit.  I have been modifying the widescreen theme.

    WRLS is the guest wireless that I have at the home.  The little woman's DSi uses that but has a passthrough for her mac.  The WRLS ghosted rule is just something setup if needed when people have problems when they come over and cannot access something since I forgot to add a rule.  As a side note, I am using an access point with DD-WRT on it instead of running it directly on my pfsense box.  I have the webgui access blocked on the wireless portion of the access point.

    Have any questions, just ask!  :D

  • Lost…

    Thanks for showing me your setup and I think I can follow this.
    I have not used alias however I just started tonight working on the guest wireless and created an alias.
    I will critique your setup and thank you for showing me what you have done...



  • @Lost
    thanks for helping to show aliases and config examples

    Can you now handle it?

  • Metu & Lost…
    Yes - working on it...
    I have simple rules but am learning the other parts of Vlan etc.
    Lost has posted on another topic explaining Vlan and tagging ... 802.1q.

    I think I can use a separate port/vlan for the guest wireless if I want to...
    I just have to figure out how to leverage vlan for better isolation.


Log in to reply