Wan, Lan and Opt1 Firewall Rules for isolation

  • Hello,

    I'm new to pfsense and need some help to setup the firewall rules.  I checked the forums but don't see what I need to have done. If I double posted I will apologize now.

    My setup:

    The Cisco router is hooked to the pfsense box from port 1 into lan. The Dlink router is hooked from port 1 to opt1. ISP is hooked from modem to wan.

    Below is my setup layout picture:

    ISP<–-connected to WAN via DHCP from ISP <--------------------
    Cisco wireless router(no DHCP no NAT enabled)<---lan------>pfsense box<-----opt1------->Dlink wireless router(no DHCP no NAT enabled)

    Cisco IP address -
    subnetmask -

    Dlink IP Address -
    subnetmask -

    pfsense box setup
    Wan rl0= DHCP from ISP working fine can ping out.
    Lan xl0 = static setup with DHCP and NAT enabled and works fine. Subnetmask
    OPT1 xl1 = static setup not DHCP enabled but is NAT enabled.  Subnetmask

    So what I would like to see with pfsense is to have lan be fully working, which it is. Opt1 I want to be isolated from the lan but have internet access. I need to build an enterprise test network for school that will contain 5 Windows Server 2008 Enterprise installs with 5 clients. Those servers will have DHCP, DNS, file servers, app servers, exchange server and a CA server.

    Right now I have in the pfsense firewall for lan the default rules. See my screenshot titled LAN_Firewall_Rules.

    For the opt1 firewall to get onto the internet I added a rule mirroring the default lan rule. See the screenshot OPT1_Firewall_Rules. This gave me internet access but I can access the cisco router ( config page and pfsense ( config page while on the op1 network.  Is this normal even know my server machine ip address is set static to with netmask of gateway of
    Also clients on the lan side using 192.168.0.X ip addresses can access the config pages of the Dlink ( and pfsense (

    If I enable DHCP on a Windows server will it feed back and mess up the lan interface on the pfsense that is handling DHCP broadcasts for the cisco connected clients, wired and wireless?

    I would like if I was connected to the lan interface that I can only access pfsense config page from ( and the cisco config page from ( Is this possible?  I don't need access to shares on lan network from opt1 or vice versa. When I put the enterprise test network opt1 publicly online with dyndns for my teacher to grade and test the network I don't want him anywhere near my home network cisco router or clients.

    I'm not sure if I do this through firewall rules or vlans or what. I need to have internet access on opt1, dhcp handled by windows server and dns also handled by windows server. The clients on the test network need to use dns and dhcp from the windows servers. Also any wireless clients need to connect to the dlink access point and obtain ip addresses from the windows servers.

    I know that this is alot of information to understand and any help would be awesome.


  • Not sure what you want to do here. If you just want to restrict access to the GUI pages, just set the rules like this:

    HOST (PC) YOU WANT ALLOW ACCESS TO GUI PAGES [LAN] (x.x.x.x) ====> PFSENSE (y.y.y.y) <===== OTHER ROUTER (z.z.z.z)

    permit to pfsense address
    PERMIT TCP SOURCE (x.x.x.x) DESTINATION (y.y.y.y)
    PERMIT TCP SOURCE (x.x.x.x) DESTINATION (z.z.z.z)
    PERMIT PROTOCOL SOURCE anything else you want to permit
    DENY ALL (remember this is there by default)

    Rules apply inbound on an interface. Which means pretend you are on the PF router. Router goes "HEY PACKETS COMING IN MY {INTERFACE NAME, LAN, OPT, W/E}, do you match these rules?" What do I do with you? Do you match any rules (if you don't you get dropped).

  • Thanks for the reply.

    Ok so basically if I take my firewall rules for opt1 and make them specific then this won't happen?  If this is true is there any way to make a group of rules that apply to just that interface? I have setup now for any to opt1 to have access so if I make it specific then It should not access the 192.168.0 subnet from the 10.x.x.x subnet.

    Also when I use my public ip address it access the admin page for pfsense, is there a way to change the port that the web interface uses to listen on? It is on default https now and http 443 and 80 id I choose to put it on http. I need to be able to use dyndns to access the servers on the  10.x.x.x network using ports 80, 443 21, 22, 53 for a grade in the course.

    Thanks again

Log in to reply