Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Isolating hosts/subnets

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 4 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zer0k1ll
      last edited by

      Hi I have pfsense installed on my alix 2d13 board.
      The vr0 is connected to the lan port of an adsl modem/router and is set as WAN interface. (Not bridged)
      the vr1 is set as my LAN.

      I want to isolate the hosts of my modem/router from the LAN hosts of my pfSense.
      I must setup VLANs or I must create some firewall rules?

      Thanks in advance for any help

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Bridge the DSL thing, and make use of the third port on the Alix board, instead of doing a double NAT and similar nonsense… Set up firewall rules accordingly (e.g., allow everything but LAN2 destination on LAN1 interface, and vice versa). Done.

        1 Reply Last reply Reply Quote 0
        • Z
          zer0k1ll
          last edited by

          Thank you for your reply. I am new to pfsense and to networking so is there any tutorial in order to have a guide?

          Thanks in advance

          1 Reply Last reply Reply Quote 0
          • D
            darnitol
            last edited by

            Google is your friend.

            Here you go, sir:  http://www.overclockers.com/building-pfsense-firewall

            And the bridging your DSL modem part:  if you bought your own DSL modem then you may have quite a task as they tend to be poorly documented and supported, Google will be your best resource for this. If your telco provider provided the modem you may have an easy task ahead of you depending on the experience and knowledge of their tech support department - give them a call and tell them you would like them to place your DSL modem into Bridge mode and they will do so.

            Some companies don't call it this, or they don't tell their techs about it, so you may need to explain that you need the modem to be transparent to your firewall so that you can set your "computer" to perform the PPoE authentication.  Don't mention router or firewall.

            You will benefit greatly from initially connecting with a PC configured to do the PPoE connection just so that you and the support rep can work together more effectively (they never heard of pfSense) and you can make certain the connection works before connecting your pfSense.  Then if it doesn't work you know the problem isn't your DSL provider or your DSL modem.  Your PC should receive a Public IP address and you should be able to surf the Internet.  Don't leave it connected like this for long unless you REALLY trust your computers firewall.

            1 Reply Last reply Reply Quote 0
            • Z
              zer0k1ll
              last edited by

              Thank you very much for your time.

              I am not sure about the bridging. I prefer to leave the modem/router in order to serve other hosts that I want to isolate.

              I will read the tutorial in the link. Thanks

              1 Reply Last reply Reply Quote 0
              • D
                darnitol
                last edited by

                Be careful chaining routers - you may end up with a problem called double-NAT - this occurs when a host must communicate across two links that involve IP address changes (translations) - it breaks some web services and VPN's.  It can also result in poor performance.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  Ok does not matter if you bridge your modem or not - but I would highly suggest you bridge it so your not doublenatting.  Pfsense (wan) would have your public IP.  It just makes it easier understand and work with and performance and stability your not doublenatting.

                  But it can work - you just put your pfsense wan IP into a dmz of your modems lan network, and make sure its not overlapping any of your networks that your using as pfsense lan.

                  If you connect devices to your "modems" lan network other than pfsense - then for them to create sessions to devices on pfsense you have to create port forwards(nats) from pfsense wan to lan segment you want to forward too.  And to access those devices you would have to use pfsense wan IP.

                  A easier better solution is put ALL devices on one of the pfsense lan segments.  In the attached example leverage the 3rd nic in your alix board to create your second lan.  Now you have 192.168.1.0/24 and 192.168.2.0/24 and you can allow or block whatever traffic you want between these segments with simple pfsense firewall rules and no natting will be happening between them.  Only when these devices go to the internet (pfsense wan) will they be natted.

                  Its rarely a good idea to double nat.  And should be avoided whenever possible.

                  multilan1.jpg
                  multilan1.jpg_thumb

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.