Multiple LAN Routing

Mr-Router

Currently have a 1.2.3 pfsense setup - 2 LAN interfaces and 1 WAN, simple setup.

WAN - Static public block
LAN - 10.0.0.254/24
OPT - 192.168.0.254/24

LAN clients get to the internet just fine, OPT clients get to the internet just fine, have inbound port forwarding setup and works without issues.  We want to allow the 10.0.0.0/24 subnet to get access to the 192.168.0.0/24 subnet, but not allow the 192.168.0.0/24 to get access to the 10.0.0.0/24 subnet.  Is this possible?  I can ping the 192.168.0.254 OPT interface from the 10.0.0.0 subnet and vice versa, but not any of the other ip's.  Are there specific rules that need to be setup on each interface to allow this?

clarknova

It is possible. You need a pass rule on the LAN interface that allows traffic to the OPT network, and ensure that there is no rule on the OPT interface that would allow traffic to the LAN network.

Mr-Router

Thanks clarknova!  I have my default rule for the LAN and the OPT networks to allow internet access, so I added a new rule for the LAN interface for:

Protocol    Source      Port    Destination  Port    Gateway    Schedule
  TCP        LAN net      *          OPT net      *          *

I appiled the rule and restarted the firewall, but still cannot ping any device on the OPT network.  I can ping the OPT interface from the LAN net still but no access to the OPT network.  Is there another piece of the puzzle that I am missing?  Under the WAN interface configuration, I have Block BOGON networks unchecked and Block PRIVATE networks checked.  I do appreciate the help!

jimp

Ping is ICMP, and your rule has a protocol of only TCP. Change the rule to allow any protocol, or add another rule for ICMP, and then you can ping.