How to setup rules with 4 lans?



  • I currently have 1 WAN,  and 4 LAN (3OPT)'s in my pfsense box. I'd like to limit the traffic that can travel between the LANS (essentially only allowing maybe FTP and maybe SMB).

    When i tried to setup a rule on the individual LAN's to:
    allow from LAN subnet -> wan address (so that by default all traffic from the LAN can access the internet, without having the default: allow from LAN subnet -> any) it cut off the internet on that subnet. Why would it do this?

    also when adding a rule on the LAN1 interface to block any incoming traffic from LAN2, it did nothing. the rule looked like:
    block from LAN2 subnet -> LAN1 subnet. I think i know why it didn't work (this rule needs to be setup on the interface it enters the pfsense box from), but my question is, is there anyway to block traffic coming into the subnet.

    the goal here is to allow each user to setup their own rules on their own subnet without touching another users subnet rules.
    Is this possible or do i have to act as the router police and handle all rule changes ect.



  • @memento:

    When i tried to setup a rule on the individual LAN's to:
    allow from LAN subnet -> wan address (so that by default all traffic from the LAN can access the internet, without having the default: allow from LAN subnet -> any) it cut off the internet on that subnet. Why would it do this?

    Your LAN subnet -> Wan address rule is only letting you go as far as your ip address (modem) thus blocking all outgoing connections to the internet.  Your Wan address is the first hop out after pfSense and your allowing that but not letting it go out any further without the default rule.  To do what you want, you need to leave the Lan net-> Any rule and right above it put your block rules to the other LANs.

    Like the following on the LAN1 interface:

    Proto        Source        Port        Destination        Port        Gateway        Schedule

    X        *          LAN1            *              LAN2              *              *
    X        *          LAN1            *              LAN3              *              *
    X        *          LAN1            *              LAN4              *              *

    *          LAN1            *              any              *              *

    Do similar for your other interfaces.

    Rules are processed from top to bottom so if you have custom allows for each LAN then above each block rule on each interface, you have to give the allow rule for the traffic you DO want passed between LANs.  If what you want allowed applies to all LANs then just make it your top rule and set up an Alias for your LANs so you dont have to make seperate rules for each interface.

    I'm new to this myself so one of the Hero members will come along and confirm or deny the above.



  • @memento:

    allow from LAN subnet -> wan address (…all traffic ... can access the internet...)

    Nope, you only allow traffic TO the WAN interface, not beyond it.

    If you want all traffic but other local subnets then define a subnet alias and make a rule like:

    Proto        Source        Port        Destination        Port        Gateway        Schedule
    X        *          LAN1            *          !SubAlias          *              *

    @memento:

    also when adding a rule on the LAN1 interface to block any incoming traffic from LAN2, it did nothing.

    Rules only handle the traffic that enters pfSense on the respective interface.
    To block traffic from Lan2 to Lan1 you have to do so on the Lan2 tab.

    @memento:

    the goal here is to allow each user to setup their own rules on their own subnet without touching another users subnet rules.
    Is this possible or do i have to act as the router police and handle all rule changes ect.

    This is not m0n0wall, we don't have different users ATM.
    If you allow others access to the webGUI they will be able to change any rule they want. This is not practical.

    Have one person to administer the ruleset in close communication with the other parties.

    Imagine if admin3 doesn't want the other subnets to lurk in his one then the rules have to be on the other subnet's pages and therefore are not controlled by him. And I wouldn't want him to touch my ruleset to acchieve his goal…

    BTW:
    Make sure you have defined different subnet ranges for the LANs and/or OPTs. Routing is not possible otherwise.


Log in to reply