Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Secondary network on same machine, same wan

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 801 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      thisis789
      last edited by

      so i already have my pfsense box running my network and that was one of the best network decision i've made in a while, but there is one thing i need to do and i don't know how to do it.

      i have my entire network on it which involves files server and a domain server and all the other computers, this is not the issue, i often work on other peoples computer that a are caked with viruses and i have to connect them to the internet to get updates and what not. but i always worry when i connect tit to my internal network for it could spread malicious things to the rest of the machines.

      my machine has an extra lan card with two different ports on it (i think its like an intel pro1000 pl) i want to create a separate network using this but i had to do the following

      1. be completely separated from the rest of my network
      2. i want to limit the wan speed of it, because i might also put an AP on it and use it as a guest network

      1 Reply Last reply Reply Quote 0
      • P Offline
        phil.davis
        last edited by

        Interfaces->Assign and "+". Select the NIC you want for OPT1.
        Interfaces->OPT1, enable, give it a private staic IP in some other bit of private IP address space.
        Services->DHCP - enable some DHCP on OPT1

        There are a few approaches to the rules. Here is one way:

        • Make an alias that contains all the RFC1918 private address space, or at least all that you are going to use.
          Add a rule on OPT1, pass protocol all, source OPT1net, destination !RFC1918

        Now OPT1 clients can get out to public IPs, but not to anything private, i.e. not to your LAN, the webGUI on OPT1address or any other private IP nets you might create in future.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • R Offline
          rubic
          last edited by

          @phil.davis:

          Add a rule on OPT1, pass protocol all, source OPT1net, destination !RFC1918

          Now OPT1 clients can get out to public IPs, but not to anything private, i.e. not to your LAN, the webGUI on OPT1address or any other private IP nets you might create in future.

          But with this rule they can get to the webGUI on pfSense WAN address from OPT1net))

          1 Reply Last reply Reply Quote 0
          • P Offline
            phil.davis
            last edited by

            Yes, true, that is the 1 public IP you want to block them from. Put a block rule on OPT1 at the top - block source any, destination WAN address.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.