• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Block one subnet from accessing another

Scheduled Pinned Locked Moved Firewalling
10 Posts 4 Posters 2.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J Offline
    jamesaepp
    last edited by Feb 20, 2013, 7:43 PM

    Thank you in advance for any assistance!

    I have my pfsense router on 192.168.1.1

    I have a OpenVPN setup on 192.168.4.xxx (Established and Functional)

    However, I do NOT want the hosts on 192.168.4.xxx to be able to reach ANY hosts on 192.168.1.xxx except for the router to achieve DNS servers and such. (I still want them to have web access.)

    Suggestions? ???

    1 Reply Last reply Reply Quote 0
    • P Offline
      podilarius
      last edited by Feb 20, 2013, 10:36 PM

      Setup 2 rules on I would guess LAN that stated source 192.168.4.0/24 is blocked to 192.168.1.0/24 and an allow rule above it that allows that subnet to 192.168.1.1 on port 53 of TCP and UDP.

      1 Reply Last reply Reply Quote 0
      • J Offline
        jamesaepp
        last edited by Feb 21, 2013, 12:35 AM

        [SOLVED]
        @podilarius:

        Setup 2 rules on I would guess LAN that stated source 192.168.4.0/24 is blocked to 192.168.1.0/24 and an allow rule above it that allows that subnet to 192.168.1.1 on port 53 of TCP and UDP.

        Worked perfectly! Thanks for the help. See attached picture for my final rules.

        Capture.PNG
        Capture.PNG_thumb

        1 Reply Last reply Reply Quote 0
        • M Offline
          marcelloc
          last edited by Feb 21, 2013, 12:57 AM

          Are you sure? You have 8 rules allowing any traffic before your deny rule.

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • J Offline
            jamesaepp
            last edited by Feb 25, 2013, 10:59 PM

            @marcelloc:

            Are you sure? You have 8 rules allowing any traffic before your deny rule.

            Yes, I'm sure. I have another VPN server running on a 192.168.2 subnet linked to the 192.168.1 subnet.

            1 Reply Last reply Reply Quote 0
            • S Offline
              saeen
              last edited by Feb 28, 2013, 4:18 AM

              James - I don't understand what's the purpose of having a VPN if you don't want to allow your users access to the internal network ?

              Also the screen shot that you have uploaded clearly suggests you have allowed all traffic. Remember that when you connect openVPN it will add a route for the LOCAL Network that you defined on the OpenVPN server and it will only pass traffic for that network through the tunnel. Rest of the traffic still goes through normal channel.

              1 Reply Last reply Reply Quote 0
              • P Offline
                podilarius
                last edited by Feb 28, 2013, 4:48 AM

                The purpose would be to access certain resources behind the firewall but not all. Like access to a mail server but not a development server. Might be a bad example, but you get the idea. Perhaps a better example would be to allow a consultant access to machine but only the one they need to work on at that time.

                1 Reply Last reply Reply Quote 0
                • S Offline
                  saeen
                  last edited by Feb 28, 2013, 5:01 AM

                  Thanks Podilarius but the author says:

                  However, I do NOT want the hosts on 192.168.4.xxx to be able to reach ANY hosts on 192.168.1.xxx except for the router to achieve DNS servers and such. (I still want them to have web access.)

                  So he doesn't want to grant access to a particular machine but i think he is trying to use the proxy feature which i don't believe would work like that ! but may be i am wrong.

                  1 Reply Last reply Reply Quote 0
                  • P Offline
                    podilarius
                    last edited by Feb 28, 2013, 5:08 AM

                    Well I this case he wants VPN user to access the dns server for name resolution to the Internet. The dns server happens to be the firewall from what I can see.

                    1 Reply Last reply Reply Quote 0
                    • J Offline
                      jamesaepp
                      last edited by Mar 2, 2013, 12:51 AM

                      I am extremely sorry for the confusion I have created. Let me explain a bit further:

                      I have an OpenVPN for myself ONLY on 192.168.2.xxx forwarded to 192.168.1.xxx
                          In this way, I can access all the hosts I wish. That is why you see the rules earlier. They are for a different VPN

                      The VPN I asked about for this post is for the 192.168.4.xxx. The users with access to this VPN are close friends who I don't want access to the main network. Those clients get forwarded to 192.168.3.xxx (I set it up this way due to the tutorial maker doing it in a similar fashion) HOWEVER I still needed them to get access to DNS services. I have tested this out in multiple ways, and the clients on the 192.168.4.xxx do not have access to hosts on 192.168.1.xxx. Not even administrative portal for the router itself.

                      1 Reply Last reply Reply Quote 0
                      10 out of 10
                      • First post
                        10/10
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received