Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Setting up a second interface

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tgraytnz
      last edited by

      I run a computer store. We use pfsense as our router, it is bridged to our business class cable modem. I am wanting to setup a second interface, or second-lan, that has dhcp/dns, internet access but no access to the main lan. I have looked for this solution, but have not found anything. I may be using incorrect terminology. Anybody that is willing to help, would be much appreciated. Thanks in advance guys.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        It's easy.  Add the interface, create firewall rules on opt1 (guest LAN):

        pass source opt1 net * dest ! lan net *

        (The ! lan net means everything but the lan net, achieved with the "Not" checkbox in the firewall rule)

        Or, I kind of like two rules.  I am of the mind that if you want traffic blocked you should explicitly block it:

        block source opt1 net * dest lan net *
        pass source opt 1 net * dest any *

        I'd also probably add some per-source/dest ip rate limiting on the opt1 pass rule.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • T
          tgraytnz
          last edited by

          Thanks for the help!

          Maybe you can help, I have tried several tutorials to forward ports, still cannot get them open.
          Going through the port forward menu under nat.
          Forward example>
          not disabled
          no rdr not enabled
          interface: wan
          protocol: tcp
          source: not specified
          destination: not specified
          dest port range: from: other ports(alias)
                                    to: other ports (alias)
          redirect targer ip: alias for server
          redirect target port: others: ports(alias)
          description: test ports
          xmlrpc sync not enabled
          nat reflection: system default
          filter rule association: rule "ports" ( associated rule )

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            @tgraytnz:

            Thanks for the help!

            Maybe you can help, I have tried several tutorials to forward ports, still cannot get them open.
            Going through the port forward menu under nat.
            Forward example>
            not disabled
            no rdr not enabled
            interface: wan
            protocol: tcp
            source: not specified
            destination: not specified
            dest port range: from: other ports(alias)
                                      to: other ports (alias)
            redirect targer ip: alias for server
            redirect target port: others: ports(alias)
            description: test ports
            xmlrpc sync not enabled
            nat reflection: system default
            filter rule association: rule "ports" ( associated rule )

            destination: not specified

            Should probably be WAN Address. I don't see anything else.

            I don't know what your aliases are but the target IP address needs to be on the private network.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • T
              tgraytnz
              last edited by

              @Derelict:

              It's easy.  Add the interface, create firewall rules on opt1 (guest LAN):

              pass source opt1 net * dest ! lan net *

              (The ! lan net means everything but the lan net, achieved with the "Not" checkbox in the firewall rule)

              Or, I kind of like two rules.  I am of the mind that if you want traffic blocked you should explicitly block it:

              block source opt1 net * dest lan net *
              pass source opt 1 net * dest any *

              I'd also probably add some per-source/dest ip rate limiting on the opt1 pass rule.

              Having some issues with setting up those rules. any chance I can get a screenshot?

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                This is the firewall rule page for my guest VLAN at home.

                ![Screen Shot 2014-01-23 at 10.05.31 PM.png](/public/imported_attachments/1/Screen Shot 2014-01-23 at 10.05.31 PM.png)
                ![Screen Shot 2014-01-23 at 10.05.31 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-01-23 at 10.05.31 PM.png_thumb)

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • T
                  tgraytnz
                  last edited by

                  @Derelict:

                  This is the firewall rule page for my guest VLAN at home.

                  I'm back. I do have a question, I am having some issues with services on the network. I am able to ping certain ip's and connect to some services and not others.
                  Any ideas?

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Be sure you're not dealing with software firewalls on the devices (like windows firewall, symantec, etc).

                    Check the firewall logs to see if subject traffic is being rejected. (Status->System Logs->Firewall)

                    For more than that we'll need more details.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.