Rules for multi lans with different subnets[SOLVED]

pcbosrders

trying to set a 5 nic setup
have
wan, static ip from isp
lan static ip 192.168.0.4
opt1(subnet172) static ip 172.16.0.1
opt2 (kidssubnet) static ip 192.168.5.1
opt3 (wifi) access point ip 192.168.0.55 dhcp enabled
rules
lan
default anti lock out and allow lan to any

• LAN net * WIFI net * * none  
  ICMP   * * LAN net * * none

wifi opt3
ICMP   * * WIFI net * * none   allow ping firewall pfsense_AP

• WIFI net *      * * * none   allow clients on AP to access clietns on lan and wan
• WIFI net * LAN net * * none

opt2 kidssubnet

• KIDSSUBNET net * * * * none   allow to all other interfaces  
  opt1 subnet 172
• SUBNET172 net * WAN address * * none   allow 172 to www

so what is happening is through pfsense i can ping opt2,3 from lan and back
but when the wifi gives a ip out i cant ping the pfsense box or see the internet
from the lan cant see the internet
what i want is the lan to see the internet and opt2,3 see lan and internet
and opt 1 to see the internet but not the lan,opt2,3

pcbosrders

sorry hit enter and post before finished any help or rules to create this would be great thanks

Metu69salemi

What is your subnet masks with lan and opt3? did you try to bridge those?

pcbosrders

@Metu69salemi:

What is your subnet masks with lan and opt3? did you try to bridge those?

subnet /24 yes tried to bridge and works. would like to keep the wireless separate from (lan if i can)
once this all works want to filter each interface using squid and squidgaurd or dansgardian 
so i can can control where kids go

Metu69salemi

Can you change subnet for wireless then if you want to separate it from lan.
Based on rules there should not be any problems. Can you try with subnet change and inform if this problem still exists

pcbosrders

will change subnet on wifi and see what happens

pcbosrders

changed subnet on wifi to 192.168.6.1 amd set dhcp 192.168.6.50 - 75
net book connects and get ip can't ping any other interface and can't get web
can ping interface ip of 192.168.6.1 but thats it. so dchp is working but nothing else
same rules apply

wifi

• WIFI net * * * * none   allow clients on AP to access clietns on lan and wan 
  ICMP * * WIFI net * * none   allow ping firewall pfsense_AP

pcbosrders

ok lan to the wan is working can get internet services going to reconfigure mail server to use pfsense
but still can't get wifi to get out to internet
going to set the other interfaces up and see
thanks for the help seem to be going in the right direction

Metu69salemi

Can you do tracert from wifi clients to see where it's halting?

One place worth to look at is Firewall:NAT and edit there manual outbound nat in use. You should see there automatic rule for lan net, you can add all others there too.

pcbosrders

ok found the problem had the gateway for the wifi set wrong fixed and working
got 4 interfaces working out of 5 got some quirks to iron out but i think i got this figured out (as usual making it more complicated than needed)
got another problem trying to get my other opt(subnet172) to go to wan and not any other interface
rule for subnet172

• SUBNET172 net * WAN address * * none   allow 172 to www

should i change wan address wan subnet or?
trying to prevent subnet172 access to other interfaces except wan
once again thanks getting closer to my goal  ;D ;D

Metu69salemi

Easier way: create alias localnets. add every single localnet on that

then create two rules:

1. block any wifi localnets
2. pass any wifi *

that should do it

pcbosrders

@Metu69salemi:

Easier way: create alias localnets. add every single localnet on that

then create two rules:

1. block any wifi localnets
2. pass any wifi *

that should do it

i have 5 interfaces
wan
lan
opt1subnet172
opt2kidsSubnet
opt3wifi

dont understand what you mean
i want to block another opt(subnet172) not wifi to all interfaces but wan
so if i read what you are showing create a alias and add all subnets include subnet172 and change wifi to subnet172 and this should work

pcbosrders

think i got this do i put the rules under opt(subnet172) or under wan
i think this should go under subnet172
just making sure thanks!!!

Metu69salemi

Yes but it only to that interface subnet172

In pfsense rules are working on ingress. That means, if you add rule to LAN, it doesn't affect to subnet172

pcbosrders

everything seems to work just got some fine tuning
and setting some filtering for parent control
thanks for the help!!!!

Metu69salemi

no problems