Setting up a second interface
-
I run a computer store. We use pfsense as our router, it is bridged to our business class cable modem. I am wanting to setup a second interface, or second-lan, that has dhcp/dns, internet access but no access to the main lan. I have looked for this solution, but have not found anything. I may be using incorrect terminology. Anybody that is willing to help, would be much appreciated. Thanks in advance guys.
-
It's easy. Add the interface, create firewall rules on opt1 (guest LAN):
pass source opt1 net * dest ! lan net *
(The ! lan net means everything but the lan net, achieved with the "Not" checkbox in the firewall rule)
Or, I kind of like two rules. I am of the mind that if you want traffic blocked you should explicitly block it:
block source opt1 net * dest lan net *
pass source opt 1 net * dest any *I'd also probably add some per-source/dest ip rate limiting on the opt1 pass rule.
-
Thanks for the help!
Maybe you can help, I have tried several tutorials to forward ports, still cannot get them open.
Going through the port forward menu under nat.
Forward example>
not disabled
no rdr not enabled
interface: wan
protocol: tcp
source: not specified
destination: not specified
dest port range: from: other ports(alias)
to: other ports (alias)
redirect targer ip: alias for server
redirect target port: others: ports(alias)
description: test ports
xmlrpc sync not enabled
nat reflection: system default
filter rule association: rule "ports" ( associated rule ) -
Thanks for the help!
Maybe you can help, I have tried several tutorials to forward ports, still cannot get them open.
Going through the port forward menu under nat.
Forward example>
not disabled
no rdr not enabled
interface: wan
protocol: tcp
source: not specified
destination: not specified
dest port range: from: other ports(alias)
to: other ports (alias)
redirect targer ip: alias for server
redirect target port: others: ports(alias)
description: test ports
xmlrpc sync not enabled
nat reflection: system default
filter rule association: rule "ports" ( associated rule )destination: not specified
Should probably be WAN Address. I don't see anything else.
I don't know what your aliases are but the target IP address needs to be on the private network.
-
It's easy. Add the interface, create firewall rules on opt1 (guest LAN):
pass source opt1 net * dest ! lan net *
(The ! lan net means everything but the lan net, achieved with the "Not" checkbox in the firewall rule)
Or, I kind of like two rules. I am of the mind that if you want traffic blocked you should explicitly block it:
block source opt1 net * dest lan net *
pass source opt 1 net * dest any *I'd also probably add some per-source/dest ip rate limiting on the opt1 pass rule.
Having some issues with setting up those rules. any chance I can get a screenshot?
-
This is the firewall rule page for my guest VLAN at home.
 -
This is the firewall rule page for my guest VLAN at home.
I'm back. I do have a question, I am having some issues with services on the network. I am able to ping certain ip's and connect to some services and not others.
Any ideas? -
Be sure you're not dealing with software firewalls on the devices (like windows firewall, symantec, etc).
Check the firewall logs to see if subject traffic is being rejected. (Status->System Logs->Firewall)
For more than that we'll need more details.
