Creating rules for LAN Networks

  • hi all,

    on my computer i have installed pfsense on and have 4 NICS, "WAN" "DMZ" and the other 2 LANS one labelled "public" and the other "server"

    basically i want to create rules so the "server" network can talk to the others but def NOT the other way round

    many thanks for your help in advance


  • any help in how about going about this?

    i want the server lan to talk to the public lan but I DONT want the public lan to talk to the server lan


  • On the "server" interface, keep the allow all rule as usual
    On the other interfaces, add a blocking rule with destination "server net" above the "allow all" rule

  • The fun apart about blocking specific traffic between LAN networks is you have to dig down into all of the windows / Linux servers and protocols and what ports they use

    Considering things like DNS, NetBios, network shares and so on pending on if your using windows or linux or both.

    It is usually easier to just allow all ports below 1024 out to cover them all vs making very specific rules.

  • so if im right in saying on the firewall set up, rule 1 is the default rule lets say i deny all traffic in/out
    if i create rule 2 so that the server lan can talk to the public lan it will override rule 1 as this is before rule 1?

    does that make sense


  • LAYER 8 Global Moderator

    Why would you call a lan segment "public" is beyond me..

    Where do you want your other segments to be able to talk?  Out the internet that I assume is your wan interface?

    So your setup is pic 1?  Please point out if your setup different

    So everyone should be able to talk out the wan and to the internet.  And Server segment should be able to create traffic to DMZ and Public.  But dmz and public should not be able to create traffic to either each other or server.

    So servers rules are just allow all any any. Easy this should be your default lan rules.  Lets assume that dmz and public are your opt1 and opt2 interfaces and have NO rules to start with.

    I would create 2 aliases - you could do it with one, but 2 makes it clearer.

    Call 1 Server-DMZ
    Call 2 Server-Public

    So in 1 you put Server Lan and DMZ lan – kind of like second pic

    Where I have my lan and wireless

    Then in 2 put Server Lan and your Public lan

    Then on those interfaces create a rule like what I have on my dmz interface - 3rd pic

    Where I say you can go anywhere as long as not locals (!Locals) you would use your aliases

    So on your public interface you would use alias 1 server-dmz and use ! (not) so you would say hey public you can go anywhere as long as its not server or dmz

    Then on dmz interface use alias 2 server-public with not ! -- which says hey dmz you can go anywhere except for server and public.

    So in that setup any ips in server segment could create traffic to dmz or public and dmz or public could answer, but dmz or public could not start a conversation or create traffic into server or public.

    Does that help?

  • sorry for the delayed reply , this is great help thanks alot for your help!!!

    so basically set up different  aliases and set the aliases different rules to talk to different aliases

Log in to reply