LAN 2 firewall rules to block internet



  • Hi Guys,
    on my LAN2 i want to block all outgoing traffic and allow just HTTP, and HTTPS.
    i've created one rule to block all traffic ,
    and i've create two rules to allow http and https, but the client can't still browse to the internet.
    any suggestions how to do this for a best configuration ?



  • Rebel Alliance

    You need to allow TCP/UDP port 53 for DNS resolution ;)

    Also, the First Rule, Blocks everything, and the rules below that are useless (they never applies)

    If that is an "OPT" interface, delete the first rule and add only the needed "pass"rules… On interfaces "Other than LAN" all traffic is "blocked" by default, so you only need the "allow" rules



  • ptt you are the man thanks

    attached are the rules, i've added port 123 and ICMP protocol to try the connections :)

    when you said OPT interface, what did you mean? if it connect to a wire ?
    PFsense is virtual on the ESXI 5,5



  • Rebel Alliance

    Lets say that in your pfSense  you have 3 interfaces, you will have  WAN, LAN and OPT….. ;)

    In a "default" pfSense install, all inbound traffic for WAN and OPT Type interfaces is Blocked by default, Only the LAN interface have the  "Allow LAN to ANY" rule by default... And the "Anti-Lockout Rule"

    https://doc.pfsense.org/index.php/Category:Firewall_Rules



  • @ptt:

    Lets say that in your pfSense  you have 3 interfaces, you will have  WAN, LAN and OPT….. ;)

    In a "default" pfSense install, all inbound traffic for WAN and OPT Type interfaces is Blocked by default, Only the LAN interface have the  "Allow LAN to ANY" rule by default... And the "Anti-Lockout Rule"

    Thanks mate :)
    the 3rd Interace is OPT :),
    Can i add The anti-Loukout rules to OP interface?
    can i block access to the Pfsense GUI will be availble only when you specify the port number ?
    like when user type http://192.168.1.1 the page won't the page will be availble only when you specify the https and port ( https://192.168.1.1:90000 )
    on System: Advanced: Admin Access  i specify the port number and protocol only https but when i put the ip 192.168.1.1 on the IE its comes up with the https warning and log in page.


  • Rebel Alliance

    You need to Disable the "webConfigurator redirect rule"

    WebGUI redirect:

    When this is unchecked, access to the webConfigurator is always permitted even on port 80, regardless of the listening port configured. Check this box to disable this automatically added redirect rule.


Log in to reply