Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Deny Access to another subnet

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 2 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      molesza
      last edited by

      I have pfsense connected straight to a dsl momem in bridge mode. The Pfsense DHCP hands out 192.168.1.*** range over a 16 port unmanaged switch. I have connected a netgear router to the switch through the WAN port of the netgear. Netgear router hands out IP addresses over 10.0.0.*** range. The reason for this is that I would like to plug "guest" machines into the netgear router to give them internet access but I don't want these same computers to be able to "see" any computers in my office on the 192.168.1.*** range. I assumed having the netgear on a different subnet would do the trick but I am freely able to connect to any 192 addresses. Is there anything I can do in pfsense? Would putting another network card in the pfsense computer be the answer? If so how would you configure pfsense.

      Thanks for taking the time to read my problem.

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Adding an interface to pfSense is the correct way to do this. That way you can easily add firewall rules to control access between the subnets.

        You could alternatively swap around your current configuration so that your own machines are behind the Netgear and guests are directly on the switch. The Netgear would then prevent guests accessing your own machines. Not a nice way to go.

        You could attempt something more complex. Run a pppoe server (or pptp/l2tp) on your pfSense box and have the netgear connect to it via its WAN. That way guests behind the Netgear would have their traffic tunnelled to the pfSense box where it can then be controlled appropriately.
        I've never tried that but it would be fun to try!  ;)

        Steve

        1 Reply Last reply Reply Quote 0
        • M
          molesza
          last edited by

          Thank you very much for taking the time to reply. So I've got three options to try over the Weekend. I will start with the PPPOE server and see how it goes. Will let you know.

          1 Reply Last reply Reply Quote 0
          • M
            molesza
            last edited by

            Something that comes to mind. If i setup a PPPoE server is it possible to have the office PC's bypass the server? I want to have all the machines plugging into the 16 port switch to have access without dialing in PPPoE.

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Yes the other machines should simply connect as normal. You use the server on pfSense simply to setup a tunnel to your Netgear router. It may be easier/better to use pptp or l2tp, I'm not sure as I've never tried this as I said.
              You need the Netgear router to send all it's traffic via the tunnel, if you use pppoe it will see that as a normal WAN connection and should do that.

              Steve

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.