Subnet 2 and DMZ have no Internet access.

  • –>internet--->CableModem--->pfSense---->Subnet 1 internet access)
                                                          ---->Subnet 2 internet access, computers get ip address via DHCP)
                                                          ---->Subnet 3 internet access, DMZ, DHCP)

    how do i get subnets 2 and 3 access to the internet?  pfSense is handling everything.


  • do you have firewall rules on these additional interfaces?  The default for OPT interfaces is no rules, which means everything is denied.

  • I have no rules for these interfaces.  what is the default rule for the lan0?

  • go to firewall>rules in the webgui. then select the lan tab. hit the [+] right near the default lan to any rule. change the interface and the source IP from lan to opt1. hit save. do the same for the other opt2 with opt2 as interface and opt2 as sourcesubnet. Save and apply your settngs. This way every interface can talk with everything. As one of the interfaces is a DMZ you should tighten some rules depending on what you want to do.

  • Ok I got the subnet connected to the internet. Thank you  How secure is the default rule?  I dont want anybody to be able to ping my firewall.  I would like to be able to use Bittorrent.

    This Firewall is replacing a linksys firewall/router appliance so I am new to a lot.

    Now I would like to start configuring the rule for the DMZ.  I am new to rule configuration.
    For my DMZ I will have a webserver, email server and a VoIP server, Asterisk, which will be running SIP.  I dont want ICMP capability.  I would like to be able to SSH into each from the outside.

    Thanks for the help.

  • The way you now have set it up is that the internal interfaces can talk to each other  and every interface can go out to the internet. Still nothing is let in from WAN as there is no pass rule at WAN present. For your DMZ you typically want something like this:

    block proto any source DMZ-subnet destination LAN-subnet
    block proto any source DMZ-subnet destination OPT1-subnet
    pass proto any source DMZ subnet destination any

    This way DMZ can go out to the internet but can't access LAN and OPT1. OPT1 and LAN still can access each other and also can access the DMZ. Note that rules order is important.

    For your incoming connections you need portforwards at firewall>nat, portforward tab. Make sure you have "autocreate firewall rule" at the bottom of the add NAT entry checked.

    To allow SSH to all your machines you have to use different ports at WAN for the forwards like
    forward port 22 to asterisk-IP port 22
    forward port 23 to webserver-IP port 22

    and so on.

  • Hoba– Thank you for your help.
    Last night I hooked up my Asterisk box (Asterisk@Home distro).  It has an ip address of    I cannot access it from my workstation that is on the .1.x subnet.  I thought that the firewall rules you gave me would allow me from any subnet to access any computer on the .2.x or the .3.x subnets.  How do I go about rectifying this problem?  Asterisk@Home is configured through AMP, Asterisk Management Portal, a webgui.  I was trying to access the box through that and ssh.


  • can i use the auto update feature to intstall that?

    i installed from the livecd that i downloaded from the download area.  i installed pfsense over this past weekend.

    where is the version number?

  • manual update.

    as it has been mentioned atleast 100 times in this forum alone, auto update is being worked on.

  • do i want the 27 meg file or the 2 meg file?
    I'm new to pfsense and i havent fully read through the forums.

    Thanks for the help.

  • 2 mb is for embedded versions, 29 mb is for harddisk installs.

  • where is the channel log located?  i looked under the blogs and tutorials and the faq but never seem to have found it.

    I am still having my problem of being unable to access AMP from my .1.x subnet.  the asterisk box is on the .3.x subnet

    Any ideas?

  • check firewall logs if something is blocked. if you see blocks your rules are not set up correctly. if you don't see blocks check if all your machines have the pfsense as gateway ip at their local interface. You might as well test that with traceroute from both ends to the other end to see where it stops. you should see only one hop.

  • ok
    if i am on a copmuter in the 192.168.1.x subnet i can successfully ping the interfaces for the .2.x(lan 2) and the .3.x(DMZ) subnets.  i cannot ping any IP addresses after .2.1 or .3.1.
    i am at a computer of IP address of .2.2 or higher or .3.2 or higher i can only successfully ping the .2.1 or .3.1 address but NOT the .1.1 address.
    i also CANNOT ping a .3.x from .2.x and the inverse of that is true as well.
    The .2.1 subnet has internet access.
    When I try to ping any address other than what is within(outside) the subnet i am recieve this message: Destination Host Unreachable

    I ran traceroute but I dont exactly know what response i am looking for.  What response do i want?  The route should not be too many hops as its just a couple of NICs.


  • do you have setup the firewall rulles for ping ?
    if you put on the lan tab the opt1 tab and the opt2 tab this rule
    icpm * * * * *

    then they can ping lan network opt1 netwerk opt2 network and the internet