FW Ruleset not working as desired
I was hoping someone on the forums could help me resolve an issue with my FW ruleset. I have recently added a new interface (NIC) to my PFSense router and am having some problems getting the separate interfaces to communicate properly.
As of right now I have a NIC for WAN, LAN, and OPT1. WAN is assigned as DHCP via comcast, LAN is set as 192.168.0.1/24 and is plugged into an 8 port switch for my trusted network, and OPT1 is plugged into a wifi AP that will only handle wifi (un trusted / guest internet).
My primary goal is to separate LAN and OPT1 so that they cannot talk to each other, however if its not too difficult I would like LAN to be able to communicate to OPT1 (so I could scan a device or send files to one) but I do NOT want any device on OPT1 to be able to establish/create any connections with LAN whatsoever.
I have tried numerous times to modify the FW rules, and also the NAT but anything I try seems to work incorrectly. Furthermore the rules that I have implemented will either completely kill all connections to OPT1 (including WAN) or will also block connections to LAN, hence booting me out of the web configurator. To make life easier I have allowed all packets for the time being, but really am hoping to solve this problem soon. I will be happy to provide screenshots if necessary, but I have made so many modifications and have not gained anything that I am hesitant to do so at this time.
On a sidenote, I am able to connect to my PFSense router via either NIC (192.168.0.1 OR 192.168.1.1) I would like to disable connections to 192.168.1.1 so that any guests on my wifi wont be able to see the web configurator (even though it requires authentication)
Any help/thoughts would be greatly appreciated. Thanks
I think the first rule in my LAN configuration (anti lockout rule, set to allow traffic from any to LAN) is the issue. I can not place a rule before this either.
Is that a correct statement? If so, any workarounds?
the default anti-lockout rule will not cause any trouble on your LAN interface.
basically you want following rules
ON LAN TAB:
- allow lan-subnet TO any (this one should have been there by default)
ON OPT1 TAB:
- allow opt1-subnet TO NOT lan-subnet
those are the only rules you should need to get it working. NAT should just be set to automatic
Thank you for your reply!
I am happy to hear that (kinda) because I did in fact have those rules, but perhaps I made a mistake in the ordering or bumped something incorrectly. I am going to revert to a fresh install and implement those rules and post back my results. I will send screenshots if it does not work correctly this time. Thanks again.
Sweet it does work as it should! Thanks again, I am not sure if I made a mistake or perhaps a false assumption previously, or if modifying my NAT rules is what killed me. After reverting to defaults and then implementing your suggestions everything does work correctly. Thanks so much.
Lastly, the only thing I need to do now is block OPT1 to 192.168.1.1 (gateway/router web configurator). Do you recommend against hardcoding a rule to block this, or can I just completely disable the web configurator for that interface? I am hesitant to do the latter if you can think of a good reason I shouldnt, Please let me know your thoughts