Single Nic + 4 Vlans + ICMP

  • Hi all,

    I must be doing something wrong. Recently I changed from Endian FW to pfsense and trying to set it up in a similar fashion without much success.

    Setup: See Attachment.
    LAN : Private Network address
    DMZ : Private Network address
    WIRELESS : Private Network address

    I would like to isolate my Wireless network so that it can only get to the internet and no other network, but there does not seem to be an option for this? ie WAN_subnet seems to give me the ISP subnet

    Say I put in the following rule:
    WIRELESS ICMP any WIRELESS_Subnet > any
    I am now able to ping to all networks, including my DMZ and Internal.

    I then try
    WIRELESS ICMP any WIRELESS_subnet > WAN_subnet
    Now I can only ping my external address.

    Is there a way to do this or do I really need to configure an alias with Private Networks and deny them in the rule
    WIRELESS ICMP any WIRELESS_subnet > !priv_net_alias

    Endian had a RED interface that I could just use and it give me all external addresses?

    Please help


  • create a rule ANY–>ANY but set a fixed gateway(group) at the advanced section of the firewall rule
    that way you won't be able to go to the other lan-subnets but still have access to all internet address'.

    the other option is to create an alias like you suggested

  • Hi Heper,

    I tried your suggestion but didn't seem to work. Just to see if I'm right, I created the rule

    WIRELESS ICMP any WIRELESS_Subnet > any [Advanced Options] Gateway selected WAN: <isp ip="">instead of default.


  • Netgate Administrator

    That should work.
    Remember that firewall rules are read from the top down and any match will then stop further matching.

    Alternatively setup an alias as you suggested, that's what I have done it's not difficult, or add blocking rules above the allow rule to prevent access to your other subnets.


  • Hi Steve,

    Strange that it doesn't work. It's currently the only rule I have under the wireless interface.


Log in to reply