Allow internet only on second wireless network



  • Hello

    My current setup is  lan  ,wireless private and wireless public  I want one to give wireless public internet access only so they cant connect my servers and home computers
    I Know I kan make a rule like this:
        Action: Pass
        Disabled: unchecked
        Interface:  wireless public
        Protocol:  any
        Source: wireless public subnet
        Destination: not  LAN Subnet

    But then I only block traffic to the lan subnet and not to the wireless private network.
    Would it be enough to add an additional rule to block access to the wireless private network?
    And I've seen some tutorials where they make the above rule and then make an additional rule where the block acces to the lan.
    But then you are blocking the lan twice isn't it? Why would you do that?

    Why isnt it possible to make a rule like this to allow internet only.
        Action: Pass
        Disabled: unchecked
        Interface:  wireless public
        Protocol:  any
        Source:  wireless public subnet
        Destination: wan subnet
    with an extra rule for dns traffic.



  • Create an alias that has both the wireless private and LAN subnets. You can then modify the wireless public to use the destination of NOT <private_network_alias>.

    WAN subnet is not the entire internet, but only the small portion you are assigned. This is why it would not work.</private_network_alias>



  • Greats thanks!
    Why didn't I think of an alias myself.
    And thanks for the explanation about the wan subnet.
    Another question about the destination type in the firewall rules, what is  wan address?
    I cant define a single address on the wan with it, but it wont work as all wan addresses. So what do you define with wan address?

    Thanks in advance



  • Generally, you can define incoming rules and NAT rules with the WAN address. Say if you wanted to expose a service running on the firewall itself. Like the webconfigurator (though it is not a very good idea to do that) on port 80 or 443. For NAT rules, you are just telling the FW to use the WAN address as the source translation.



  • Aha now I get the wan adress type. I have been wondering for a long time what its for.

    thanks again



  • WAN address would generally be your router's internet IP address.


Locked