Firewall rule for Hotspot network



  • I have here three networks (LAN, WLAN, HOTSPOT) and three internet
    connections (WAN1, WAN2, WAN3).

    On the HOTSPOT network the captive portal runs.

    Now, I would like to have: no connection from the HOTSPOT network to
    any other local/VPN network and all internet connections over WAN3.

    So I add a firewall rule with "!destination LAN WLAN and VPN networks"
    and gateway of WAN3.

    It works, but is there a better way to handle that? As I must
    add every new local/VPN network to the rule.


  • Rebel Alliance Developer Netgate

    Make an alias that contains all your local networks

    Then, on the hotspot interface rules:
    Block from Hotspot to Local_Nets
    Pass from Hotspot to *, gateway WAN3

    You could just do:

    Pass from Hotspot to !Local_Nets, gateway WAN3

    However I would recommend against that from a readability standpoint. Unless you have thousands of rules and are looking to simplify the ruleset, the readability/understandability of the two separate block/pass rules is much higher.


Log in to reply