Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Captive portal interface can access LAN side

    Firewalling
    3
    5
    1093
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      webmonkey last edited by

      I real am a new to this firewall problem. I search google and forum but I can't help myself out of this problem.
      Captive portal and other function do well , my problem is users from cp side can access to all my LAN side after they successfully authenticated. They can access resourse of LAN. I tried to block , but I don't know what I'm doing. Please show me answer.

      Here is my configuration:

      WAN : 192.168.1.3 DHCP (address reservation)
      LAN : https://192.168.1.4:7777 (same network with wan)
      CP: 192.168.10.1

      Firewall rule, I leave default to  WAN and LAN . I put CP firewall like this : PASS > any > any > any > SAVE. (if I don't put pass rule , CP user can't access to internet)

      Thanks you.
      *** This is terrible , I can't find the right answer. Help me please.

      1 Reply Last reply Reply Quote 0
      • K
        Klaws last edited by

        Your problem is that WAN and LAN use the same address range. Take a different IP address range for the LAN and then you can block CP traffic trying to get into that range.

        1 Reply Last reply Reply Quote 0
        • W
          webmonkey last edited by

          I'm sorry , that can't help.
          I change my LAN ip to different network > 192.168.2.4 .
          Still CP side can access , pfsense WAN > 192.168.1.3 and LAN.

          I think i have to change some firewall rule. How to do firewall rule to access internet but not to other network from CP side?
          sorry for my english

          1 Reply Last reply Reply Quote 0
          • L
            lsense last edited by

            what about putting one more firewall rule on CP interface:
            DENY > any > 192.168.1.0/24 > any > SAVE

            edit: put the rule before the "allow any any" one

            1 Reply Last reply Reply Quote 0
            • K
              Klaws last edited by

              And push that new rule to the top of the list, so it gets precedence over any "allow all" rules.

              No need to apologize for your english.

              Edit: okay…seems that lsense was a bit faster with the edit ;)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post