CP and LAN accessible once authenticated

  • Hello,
    there's something wrong with my setup, once users are authenticated via the CP listening on GUESTS interface they can access resources on LAN side.

    I have 3 NICs (LAN,GUESTS,WAN), on GUESTS side I have the attached rules.

    No rules on LAN except default anti-lockout rule.

    On a remote machine on LAN subnet I can see traffic from pfSense LAN address instead of GUESTS clients IP addresses, so any firewall rule I apply to GUESTS subnet is ignored and traffic not being blocked.
    Is this expected?

    thank you


    edit: I'm on 2.0RC3

  • Do you have any nat rules on the GUEST or LAN interface?

  • i have a single TCP port forward from WAN to a GUESTS host, but no NAT rules on LAN/GUESTS and AON Automatic Outbound NAT is active

  • well, I have transparent proxy enabled too, to log and report CP traffic.
    if I turn it off I can no longer access LAN devices, so it's because of it.
    is there a rule to avoid this? or maybe I should post this question to a more appropriate section?


  • YEah its not for CP.
    Though you can stop this through floating rules with direction out and source pfsense itself.
    Or on the proxy just block the LAN sites.

  • or even use "Bypass proxy for these destination IPs" and block whole LAN subnet via normal firewall rules.

    thanks for the support

Log in to reply