Secondary network on same machine, same wan



  • so i already have my pfsense box running my network and that was one of the best network decision i've made in a while, but there is one thing i need to do and i don't know how to do it.

    i have my entire network on it which involves files server and a domain server and all the other computers, this is not the issue, i often work on other peoples computer that a are caked with viruses and i have to connect them to the internet to get updates and what not. but i always worry when i connect tit to my internal network for it could spread malicious things to the rest of the machines.

    my machine has an extra lan card with two different ports on it (i think its like an intel pro1000 pl) i want to create a separate network using this but i had to do the following

    1. be completely separated from the rest of my network
    2. i want to limit the wan speed of it, because i might also put an AP on it and use it as a guest network



  • Interfaces->Assign and "+". Select the NIC you want for OPT1.
    Interfaces->OPT1, enable, give it a private staic IP in some other bit of private IP address space.
    Services->DHCP - enable some DHCP on OPT1

    There are a few approaches to the rules. Here is one way:

    • Make an alias that contains all the RFC1918 private address space, or at least all that you are going to use.
      Add a rule on OPT1, pass protocol all, source OPT1net, destination !RFC1918

    Now OPT1 clients can get out to public IPs, but not to anything private, i.e. not to your LAN, the webGUI on OPT1address or any other private IP nets you might create in future.



  • @phil.davis:

    Add a rule on OPT1, pass protocol all, source OPT1net, destination !RFC1918

    Now OPT1 clients can get out to public IPs, but not to anything private, i.e. not to your LAN, the webGUI on OPT1address or any other private IP nets you might create in future.

    But with this rule they can get to the webGUI on pfSense WAN address from OPT1net))



  • Yes, true, that is the 1 public IP you want to block them from. Put a block rule on OPT1 at the top - block source any, destination WAN address.


Log in to reply