Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Single Nic + 4 Vlans + ICMP

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      anowak
      last edited by

      Hi all,

      I must be doing something wrong. Recently I changed from Endian FW to pfsense and trying to set it up in a similar fashion without much success.

      Setup: See Attachment.
      LAN : Private Network address
      DMZ : Private Network address
      WIRELESS : Private Network address

      I would like to isolate my Wireless network so that it can only get to the internet and no other network, but there does not seem to be an option for this? ie WAN_subnet seems to give me the ISP subnet

      Say I put in the following rule:
      WIRELESS ICMP any WIRELESS_Subnet > any
      I am now able to ping to all networks, including my DMZ and Internal.

      I then try
      WIRELESS ICMP any WIRELESS_subnet > WAN_subnet
      Now I can only ping my external address.

      Is there a way to do this or do I really need to configure an alias with Private Networks and deny them in the rule
      WIRELESS ICMP any WIRELESS_subnet > !priv_net_alias

      Endian had a RED interface that I could just use and it give me all external addresses?

      Please help

      Cheers

      setup.jpg
      setup.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • H
        heper
        last edited by

        create a rule ANY–>ANY but set a fixed gateway(group) at the advanced section of the firewall rule
        that way you won't be able to go to the other lan-subnets but still have access to all internet address'.

        the other option is to create an alias like you suggested

        1 Reply Last reply Reply Quote 0
        • A
          anowak
          last edited by

          Hi Heper,

          I tried your suggestion but didn't seem to work. Just to see if I'm right, I created the rule

          WIRELESS ICMP any WIRELESS_Subnet > any [Advanced Options] Gateway selected WAN: <isp ip="">instead of default.

          Cheers</isp>

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            That should work.
            Remember that firewall rules are read from the top down and any match will then stop further matching.

            Alternatively setup an alias as you suggested, that's what I have done it's not difficult, or add blocking rules above the allow rule to prevent access to your other subnets.

            Steve

            1 Reply Last reply Reply Quote 0
            • A
              anowak
              last edited by

              Hi Steve,

              Strange that it doesn't work. It's currently the only rule I have under the wireless interface.

              Cheers

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.