Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to block webgui from wifi client?

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gjaltemba
      last edited by

      Setup

      modem–router (192.168.1.1) --pfsense (wan=192.168.1.10 lan=192.168.3.1) --opt1(192.168.4.1) --wifi client(192.168.4.10)

      Rules
      wan accept any
      lan accept any
      opt1 block dest 192.168.0.0/24
      opt1 accept any

      I want to access webgui from 192.168.1.0/24. With this setup my wifi client is able to access 192.168.1.0/24. How do I limit access to allow only internet traffic?

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        opt1 block dest 192.168.0.0/24

        With this setup my wifi client is able to access 192.168.1.0/24

        So block the correct subnet!

        Add a allow rule on OPT1:

        
        ID 	Proto 	Source 	Port 	Destination 	   Port 	Gateway 	Queue 	Schedule 	Description 	
        	*        * 	 * 	!192.168.1.0/24      *      	* 	none 	  
        
        

        And it will be done.

        1 Reply Last reply Reply Quote 0
        • G
          gjaltemba
          last edited by

          Thank you for your help. There is a typo my block rule is 192.168.0.0/16. Sorry for the confusion.

          I did add the block rule 192.168.1.0/24 as you suggested and again it did not produce the expected result.

          What I left out in the details is that I have Squid proxy on OPT1 and it turns out that is the source of the problem. Strange thing is webgui via lan port is blocked for wifi clients as expected. Any ideas?

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            I have to be sorry also. In my rule there is also an typo.

            The rule I suggested should allow all traffic on OPT1 except with destination to your LAN net. So you have to use your LAN net there, 192.168.3.0/24 instead 192.168.1.0/24.
            Note: Enter LAN net at destination and check "not" above to invert this.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.