Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Creating rules for LAN Networks

    Firewalling
    4
    7
    2.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      robina80
      last edited by

      hi all,

      on my computer i have installed pfsense on and have 4 NICS, "WAN" "DMZ" and the other 2 LANS one labelled "public" and the other "server"

      basically i want to create rules so the "server" network can talk to the others but def NOT the other way round

      many thanks for your help in advance

      rob

      1 Reply Last reply Reply Quote 0
      • R
        robina80
        last edited by

        any help in how about going about this?

        i want the server lan to talk to the public lan but I DONT want the public lan to talk to the server lan

        thanks

        1 Reply Last reply Reply Quote 0
        • G
          georgeman
          last edited by

          On the "server" interface, keep the allow all rule as usual
          On the other interfaces, add a blocking rule with destination "server net" above the "allow all" rule

          If it ain't broke, you haven't tampered enough with it

          1 Reply Last reply Reply Quote 0
          • S
            SysIT
            last edited by

            The fun apart about blocking specific traffic between LAN networks is you have to dig down into all of the windows / Linux servers and protocols and what ports they use

            Considering things like DNS, NetBios, network shares and so on pending on if your using windows or linux or both.

            It is usually easier to just allow all ports below 1024 out to cover them all vs making very specific rules.

            ¸,ø¤°`°¤ø,¸© Poor Planning On Your Part Does Not Constitute An Emergency On My Part ©¸,ø¤°`°¤ø,¸
            ¸,ø¤°`°¤ø,¸© The trouble with life is there’s no background music ©¸,ø¤°`°¤ø,¸
            ¸,ø¤°`°¤ø,¸© Life isnt short, you're just dead for too long©¸,ø¤°`°¤ø,¸

            1 Reply Last reply Reply Quote 0
            • R
              robina80
              last edited by

              so if im right in saying on the firewall set up, rule 1 is the default rule lets say i deny all traffic in/out
              but
              if i create rule 2 so that the server lan can talk to the public lan it will override rule 1 as this is before rule 1?

              does that make sense

              rob

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Why would you call a lan segment "public" is beyond me..

                Where do you want your other segments to be able to talk?  Out the internet that I assume is your wan interface?

                So your setup is pic 1?  Please point out if your setup different

                So everyone should be able to talk out the wan and to the internet.  And Server segment should be able to create traffic to DMZ and Public.  But dmz and public should not be able to create traffic to either each other or server.

                So servers rules are just allow all any any. Easy this should be your default lan rules.  Lets assume that dmz and public are your opt1 and opt2 interfaces and have NO rules to start with.

                I would create 2 aliases - you could do it with one, but 2 makes it clearer.

                Call 1 Server-DMZ
                Call 2 Server-Public

                So in 1 you put Server Lan and DMZ lan – kind of like second pic

                Where I have my lan and wireless

                Then in 2 put Server Lan and your Public lan

                Then on those interfaces create a rule like what I have on my dmz interface - 3rd pic

                Where I say you can go anywhere as long as not locals (!Locals) you would use your aliases

                So on your public interface you would use alias 1 server-dmz and use ! (not) so you would say hey public you can go anywhere as long as its not server or dmz

                Then on dmz interface use alias 2 server-public with not ! -- which says hey dmz you can go anywhere except for server and public.

                So in that setup any ips in server segment could create traffic to dmz or public and dmz or public could answer, but dmz or public could not start a conversation or create traffic into server or public.

                Does that help?

                network.jpg
                network.jpg_thumb
                aliases.png
                aliases.png_thumb
                examplenotrule.png
                examplenotrule.png_thumb

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • R
                  robina80
                  last edited by

                  sorry for the delayed reply , this is great help thanks alot for your help!!!

                  so basically set up different  aliases and set the aliases different rules to talk to different aliases

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.