[resolved] Default block physically separate LANs



  • I have set up interfaces WAN, LAN1, and LAN2.

    I want to block LAN2 from accessing LAN1, except for a few ports on specific devices.

    What is the best way to do this?



  • A fresh install of pfsense will automatically block everything between LAN1 and LAN2.

    If you want to allow traffic for ports and devices, you have to add rules to that effect.

    If you're more specific about what you're trying to achieve, or after you've tried some things yourself, we can give you more pointers.



  • When I initially installed pfSense, LAN1 was called LAN and LAN2 was called OPT1 and was disabled. I enabled OPT1 and changed its name to LAN2.

    I made two rules for LAN2 that were basically copies of two of the default rules for LAN1: 'Default allow LAN to any rule' and 'Default allow LAN IPv6 to any rule'. The only thing I changed in the rules for LAN2 was changing the source to LAN2 net.

    I'm not sure what I did differently in the install that would have changed the default settings.



  • I created the following rule on LAN1 and placed it as the second rule (under Anti-Lockout Rule), but it had no effect:

    Action: Block
    Interface: LAN1
    TCP/IP Version: IPv4
    Protocol: any
    Source: LAN2 net
    Destination: LAN1 net



  • "If you want to allow traffic for ports and devices, you have to add rules to that effect."   Just adding to this.

    and this **"I created the following rule on LAN1 and placed it as the second rule (under Anti-Lockout Rule), but it had no effect:

    Action: Block
    Interface: LAN1
    TCP/IP Version: IPv4
    Protocol: any
    Source: LAN2 net
    Destination: LAN1 net"**

    Most of us would disable the anti-lockout  rule and just add our own allow rules. I don't have even one block rule on the Lan. But, I have also made it so that only the ports that I allow can access the internet. In some cases I even have it so that they are only going to specific ip addresses.

    see if this helps:

    https://doc.pfsense.org/index.php/Example_basic_configuration



  • I created the following rule on LAN1 and placed it as the second rule (under Anti-Lockout Rule), but it had no effect:

    Action: Block
    Interface: LAN1
    TCP/IP Version: IPv4
    Protocol: any
    Source: LAN2 net
    Destination: LAN1 net

    If this rule should block packets comming from hosts at LAN 2 (Source: LAN2 net) you have to select LAN2 at interface (Choose on which interface packets must come in to match this rule.).

    Instead of this additional block rule, you could also modify the "allow to any" rule to allow packets to anywhere but the other LAN. E.g. for LAN2 interface select at destination "not" and at type select "LAN1 net".



  • @viragomann:

    I created the following rule on LAN1 and placed it as the second rule (under Anti-Lockout Rule), but it had no effect:

    Action: Block
    Interface: LAN1
    TCP/IP Version: IPv4
    Protocol: any
    Source: LAN2 net
    Destination: LAN1 net

    If this rule should block packets comming from hosts at LAN 2 (Source: LAN2 net) you have to select LAN2 at interface (Choose on which interface packets must come in to match this rule.).

    Instead of this additional block rule, you could also modify the "allow to any" rule to allow packets to anywhere but the other LAN. E.g. for LAN2 interface select at destination "not" and at type select "LAN1 net".

    lol, this was a concept that I was just totally missing. I was thinking of things completely backwards. Thanks.


Log in to reply