Assistance with Firewall Rules?

  • It's been a long-long time since I've worked with networks and firewalls and any assistance would be GREATLY appreciated. . .

    My wife owns a small health-food store and I want to use pfSense to do a couple of things:

    1. Secure her Point of Sale system that's a hard-wired LAN so that her POS Register and her POS server can access each other and the Internet.  They are both on the same subnet.
    2. Allow her encrypted WiFi SSID to access the POS LAN and the Internet.  (different subnets)
    3. Keep her public WiFi SSID (no encryption) from accessing the POS LAN AND the encrypted WIFI network but allow them access to the Internet.

    I've spent 3 days reading the documentation, browsing the forums and experimenting with how to do this but I can't get it to work.

    I've attached a diagram of what I'm trying accomplish which I believe is accurate.

    Any assistance AT ALL would be greatly appreciated!



  • i guess is much easier to have the public WiFi on a separate VLAN…

  • LAYER 8 Global Moderator

    Ok for starters your secure wlan is your WAN side??  No you would make that your guest wireless.  Then setup your other wireless to be your secured one

    All your doing is causing yourself pain trying to let your wan side into your lan, when you have the perfect isolation already your wan which allows NOTHING in unless requested, etc.

    And I have no idea what your trying to do with your ???

    And since you will be allowing your Secured wireless on your lan, you have no need to even break it out on its own interface.

    Now if you were not double natting I would suggest you do it a bit different.  But since you are then this is how I would do it.

    Your router doing nat an connecting you to the internet use that as your guest wireless = done.  Nothing to worry about they can not access your POS devices.

    Now use your other one as just an AccessPoint, any wireless router can be used as access point.  Give its lan IP an address on your network, in my example so pfsense would be say, your accesspoint  You TURN OFF dhcp on your AP and connect it to your network via one of its LAN ports = easy instant ap.  Secure that wireless with wpa2 and good psk and there you go if you access that wireless you have access to your wired network.

    If you connect to the internet router wireless you only have internet access.  You only need 2 interfaces on your pfsense this way as well.  Now if you want you could get a bit fancier and breakout even secure wireless on its own segment.  But since you want it to have access to your lan anyway, and your networking skills are questionable - this is easier.

  • Hey John,

    Thanks for the detailed response.  I'm traveling today and will dig into your suggestions tonight.  One thing I left off of my description is that the Public Wifi is attached to pfSense so I can run it through the Captive Portal.

    Not sure if that tidbit changes your recommendations or not but it seems material.

    Many many thanks again for taking the time to look at this.


  • LAYER 8 Global Moderator

    Captive portal changes everything - Your still not going to want to put your secured wireless on the wan side..

    Get another accesspoint then - and here.

    Turn off wireless on that ISP router connecting you to internet and natting.  Unless you can leverage it and just get a modem for your ISP connection.  There is really no reason to nat your connection to pfsense normally.

    So you see in this setup we breakout your guest wireless to be behind pfsense, along with your secured wireless.

    So in this setup we can use as your guest network.  So pfsense is your captive portal in this case, and create a firewall rule on the interface your connecting to so that it can only access the internet not your lan,.  Something like

    source: guest lan
    port any
    dest: NOT lan
    port any

    This would allow guest lan (guest wireless), just setup captive portal to do what you want on this interface.  But the firewall rule would prevent them from accessing your lan, but allow full access to internet.

    So depending on what your using for your wireless ap, if supports virtual ssid and vlans you could do this with just 1 AP and vlans.  But it is cleaner and simpler just to completely breakout the segments with their own hardware and interfaces.  I don't think you should have a problem buying a $50 wireless router/ap??

    I am assuming here that your wireless router you show is actually a gateway device, modem router combo that connects you to your ISP.  If not and you have a modem in front of that wireless router you show connecting pfsense to internet you could just leverage that as one of your APs

  • John,

    Thanks again for the assistance.

    My response was delayed because I went through 2 DOA WRT54GLs. . .

    I struggled for some time before figuring out that for my setup a pfSense reboot was required to apply changes to the Firewall rules.  After that it took me an hour to finish the setups and put it into production.


  • LAYER 8 Netgate

    A reboot is not required to change firewall rules but you do have to click "Apply Changes" after saving.

    And if you change something but it doesn't appear to have taken effect, it can help to dump the state table.  Diagnostics->States->Reset States.  Especially when you're in install/debug mode and not in production.

    In your situation, if it were me, I'd put the westel in bridge mode and let the pfSense WAN port obtain the public IP.

Log in to reply