Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    [resolved] Default block physically separate LANs

    Firewalling
    4
    7
    1581
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      openletter last edited by

      I have set up interfaces WAN, LAN1, and LAN2.

      I want to block LAN2 from accessing LAN1, except for a few ports on specific devices.

      What is the best way to do this?

      1 Reply Last reply Reply Quote 0
      • D
        divsys last edited by

        A fresh install of pfsense will automatically block everything between LAN1 and LAN2.

        If you want to allow traffic for ports and devices, you have to add rules to that effect.

        If you're more specific about what you're trying to achieve, or after you've tried some things yourself, we can give you more pointers.

        1 Reply Last reply Reply Quote 0
        • O
          openletter last edited by

          When I initially installed pfSense, LAN1 was called LAN and LAN2 was called OPT1 and was disabled. I enabled OPT1 and changed its name to LAN2.

          I made two rules for LAN2 that were basically copies of two of the default rules for LAN1: 'Default allow LAN to any rule' and 'Default allow LAN IPv6 to any rule'. The only thing I changed in the rules for LAN2 was changing the source to LAN2 net.

          I'm not sure what I did differently in the install that would have changed the default settings.

          1 Reply Last reply Reply Quote 0
          • O
            openletter last edited by

            I created the following rule on LAN1 and placed it as the second rule (under Anti-Lockout Rule), but it had no effect:

            Action: Block
            Interface: LAN1
            TCP/IP Version: IPv4
            Protocol: any
            Source: LAN2 net
            Destination: LAN1 net

            1 Reply Last reply Reply Quote 0
            • C
              Cmellons last edited by

              "If you want to allow traffic for ports and devices, you have to add rules to that effect."   Just adding to this.

              and this **"I created the following rule on LAN1 and placed it as the second rule (under Anti-Lockout Rule), but it had no effect:

              Action: Block
              Interface: LAN1
              TCP/IP Version: IPv4
              Protocol: any
              Source: LAN2 net
              Destination: LAN1 net"**

              Most of us would disable the anti-lockout  rule and just add our own allow rules. I don't have even one block rule on the Lan. But, I have also made it so that only the ports that I allow can access the internet. In some cases I even have it so that they are only going to specific ip addresses.

              see if this helps:

              https://doc.pfsense.org/index.php/Example_basic_configuration

              1 Reply Last reply Reply Quote 0
              • V
                viragomann last edited by

                I created the following rule on LAN1 and placed it as the second rule (under Anti-Lockout Rule), but it had no effect:

                Action: Block
                Interface: LAN1
                TCP/IP Version: IPv4
                Protocol: any
                Source: LAN2 net
                Destination: LAN1 net

                If this rule should block packets comming from hosts at LAN 2 (Source: LAN2 net) you have to select LAN2 at interface (Choose on which interface packets must come in to match this rule.).

                Instead of this additional block rule, you could also modify the "allow to any" rule to allow packets to anywhere but the other LAN. E.g. for LAN2 interface select at destination "not" and at type select "LAN1 net".

                1 Reply Last reply Reply Quote 0
                • O
                  openletter last edited by

                  @viragomann:

                  I created the following rule on LAN1 and placed it as the second rule (under Anti-Lockout Rule), but it had no effect:

                  Action: Block
                  Interface: LAN1
                  TCP/IP Version: IPv4
                  Protocol: any
                  Source: LAN2 net
                  Destination: LAN1 net

                  If this rule should block packets comming from hosts at LAN 2 (Source: LAN2 net) you have to select LAN2 at interface (Choose on which interface packets must come in to match this rule.).

                  Instead of this additional block rule, you could also modify the "allow to any" rule to allow packets to anywhere but the other LAN. E.g. for LAN2 interface select at destination "not" and at type select "LAN1 net".

                  lol, this was a concept that I was just totally missing. I was thinking of things completely backwards. Thanks.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post

                  Products

                  • Platform Overview
                  • TNSR
                  • pfSense Plus
                  • Appliances

                  Services

                  • Training
                  • Professional Services

                  Support

                  • Subscription Plans
                  • Contact Support
                  • Product Lifecycle
                  • Documentation

                  News

                  • Media Coverage
                  • Press
                  • Events

                  Resources

                  • Blog
                  • FAQ
                  • Find a Partner
                  • Resource Library
                  • Security Information

                  Company

                  • About Us
                  • Careers
                  • Partners
                  • Contact Us
                  • Legal
                  Our Mission

                  We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                  Subscribe to our Newsletter

                  Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                  © 2021 Rubicon Communications, LLC | Privacy Policy