Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pass OPT1 Just to WAN?

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      captaintofuburger
      last edited by

      I'm setting up a captive portal and I have an OPT1 interface that I want to only be able to access the WAN with. I can't figure out a way to make just a pass rule to the WAN. I see I can do a !NOT rule to my lan subnets, and/or create aliases for my networks and block them.

      Is there a way to do this? It seems that adding not rules is round about and would require more management than just a simple pass rule.

      Thanks for any help!

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Well OPT interfaces normally don't have any rules.  So by default everything is blocked.  If you want it to only access your wan network, then a simple pass from source network on your opt1 interface to whatever network is on your wan should work.

        So for example

        source opt1 net
        port any
        dest wan net
        port any

        this seems to be what your asking with this question
        "I have an OPT1 interface that I want to only be able to access the WAN with"

        Keep in mind that rule will NOT allow access to stuff past your wan network.  It will allow access to the wan network only.  So if your wan network is 1.2.3.0/24 say your 1.2.3.102/24 with gateway of 1.2.3.1 then that is the network you would allow access to 1.2.3.0/24.  Your not going to be able to access say google with such a rule.  Unless there was a proxy you were accessing on 1.2.3.0/24

        where you need to setup not rules is if you want to allow access to the INTERNET, ie you have no idea what the network which would be ANY, and not allow access to say your lan net from your dmz segment, etc.

        This is where you would create a alias of all your local network you don't want to allow to be accessed, but want every other public internet access to be available.

        Then its one simple rule
        source opt1 net
        port any
        dest NOT MYNetworks
        port any

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • C
          captaintofuburger
          last edited by

          Ah, I see what you mean, I was thinking of things slightly backwards. That makes more sense to me why it would be like that.

          I will just add not rules, I had it working like that before it just seemed odd to me.

          Thank you for the explanation.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.