Creating rules for LAN Networks
on my computer i have installed pfsense on and have 4 NICS, "WAN" "DMZ" and the other 2 LANS one labelled "public" and the other "server"
basically i want to create rules so the "server" network can talk to the others but def NOT the other way round
many thanks for your help in advance
any help in how about going about this?
i want the server lan to talk to the public lan but I DONT want the public lan to talk to the server lan
On the "server" interface, keep the allow all rule as usual
On the other interfaces, add a blocking rule with destination "server net" above the "allow all" rule
The fun apart about blocking specific traffic between LAN networks is you have to dig down into all of the windows / Linux servers and protocols and what ports they use
Considering things like DNS, NetBios, network shares and so on pending on if your using windows or linux or both.
It is usually easier to just allow all ports below 1024 out to cover them all vs making very specific rules.
so if im right in saying on the firewall set up, rule 1 is the default rule lets say i deny all traffic in/out
if i create rule 2 so that the server lan can talk to the public lan it will override rule 1 as this is before rule 1?
does that make sense
johnpoz LAYER 8 Global Moderator last edited by
Why would you call a lan segment "public" is beyond me..
Where do you want your other segments to be able to talk? Out the internet that I assume is your wan interface?
So your setup is pic 1? Please point out if your setup different
So everyone should be able to talk out the wan and to the internet. And Server segment should be able to create traffic to DMZ and Public. But dmz and public should not be able to create traffic to either each other or server.
So servers rules are just allow all any any. Easy this should be your default lan rules. Lets assume that dmz and public are your opt1 and opt2 interfaces and have NO rules to start with.
I would create 2 aliases - you could do it with one, but 2 makes it clearer.
Call 1 Server-DMZ
Call 2 Server-Public
So in 1 you put Server Lan and DMZ lan – kind of like second pic
Where I have my lan and wireless
Then in 2 put Server Lan and your Public lan
Then on those interfaces create a rule like what I have on my dmz interface - 3rd pic
Where I say you can go anywhere as long as not locals (!Locals) you would use your aliases
So on your public interface you would use alias 1 server-dmz and use ! (not) so you would say hey public you can go anywhere as long as its not server or dmz
Then on dmz interface use alias 2 server-public with not ! -- which says hey dmz you can go anywhere except for server and public.
So in that setup any ips in server segment could create traffic to dmz or public and dmz or public could answer, but dmz or public could not start a conversation or create traffic into server or public.
Does that help?
sorry for the delayed reply , this is great help thanks alot for your help!!!
so basically set up different aliases and set the aliases different rules to talk to different aliases