Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [resolved] Default block physically separate LANs

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 4 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      openletter
      last edited by

      I have set up interfaces WAN, LAN1, and LAN2.

      I want to block LAN2 from accessing LAN1, except for a few ports on specific devices.

      What is the best way to do this?

      pfSense 2.4.3-RELEASE (amd64) installed to PC on Samsung 860 EVO mSATA 256 GB SSD with Supermicro X11SBA-LN4F, Intel Pentium N3700, 4 GB RAM, 4 mobo 10/100/1000, 1 PCIe 10/100/1000 x4 NIC (HP NC364T), and APC Smart-UPS SMT1500.

      1 Reply Last reply Reply Quote 0
      • D
        divsys
        last edited by

        A fresh install of pfsense will automatically block everything between LAN1 and LAN2.

        If you want to allow traffic for ports and devices, you have to add rules to that effect.

        If you're more specific about what you're trying to achieve, or after you've tried some things yourself, we can give you more pointers.

        -jfp

        1 Reply Last reply Reply Quote 0
        • O
          openletter
          last edited by

          When I initially installed pfSense, LAN1 was called LAN and LAN2 was called OPT1 and was disabled. I enabled OPT1 and changed its name to LAN2.

          I made two rules for LAN2 that were basically copies of two of the default rules for LAN1: 'Default allow LAN to any rule' and 'Default allow LAN IPv6 to any rule'. The only thing I changed in the rules for LAN2 was changing the source to LAN2 net.

          I'm not sure what I did differently in the install that would have changed the default settings.

          pfSense 2.4.3-RELEASE (amd64) installed to PC on Samsung 860 EVO mSATA 256 GB SSD with Supermicro X11SBA-LN4F, Intel Pentium N3700, 4 GB RAM, 4 mobo 10/100/1000, 1 PCIe 10/100/1000 x4 NIC (HP NC364T), and APC Smart-UPS SMT1500.

          1 Reply Last reply Reply Quote 0
          • O
            openletter
            last edited by

            I created the following rule on LAN1 and placed it as the second rule (under Anti-Lockout Rule), but it had no effect:

            Action: Block
            Interface: LAN1
            TCP/IP Version: IPv4
            Protocol: any
            Source: LAN2 net
            Destination: LAN1 net

            pfSense 2.4.3-RELEASE (amd64) installed to PC on Samsung 860 EVO mSATA 256 GB SSD with Supermicro X11SBA-LN4F, Intel Pentium N3700, 4 GB RAM, 4 mobo 10/100/1000, 1 PCIe 10/100/1000 x4 NIC (HP NC364T), and APC Smart-UPS SMT1500.

            1 Reply Last reply Reply Quote 0
            • C
              Cmellons
              last edited by

              "If you want to allow traffic for ports and devices, you have to add rules to that effect."   Just adding to this.

              and this **"I created the following rule on LAN1 and placed it as the second rule (under Anti-Lockout Rule), but it had no effect:

              Action: Block
              Interface: LAN1
              TCP/IP Version: IPv4
              Protocol: any
              Source: LAN2 net
              Destination: LAN1 net"**

              Most of us would disable the anti-lockout  rule and just add our own allow rules. I don't have even one block rule on the Lan. But, I have also made it so that only the ports that I allow can access the internet. In some cases I even have it so that they are only going to specific ip addresses.

              see if this helps:

              https://doc.pfsense.org/index.php/Example_basic_configuration

              1 Reply Last reply Reply Quote 0
              • V
                viragomann
                last edited by

                I created the following rule on LAN1 and placed it as the second rule (under Anti-Lockout Rule), but it had no effect:

                Action: Block
                Interface: LAN1
                TCP/IP Version: IPv4
                Protocol: any
                Source: LAN2 net
                Destination: LAN1 net

                If this rule should block packets comming from hosts at LAN 2 (Source: LAN2 net) you have to select LAN2 at interface (Choose on which interface packets must come in to match this rule.).

                Instead of this additional block rule, you could also modify the "allow to any" rule to allow packets to anywhere but the other LAN. E.g. for LAN2 interface select at destination "not" and at type select "LAN1 net".

                1 Reply Last reply Reply Quote 0
                • O
                  openletter
                  last edited by

                  @viragomann:

                  I created the following rule on LAN1 and placed it as the second rule (under Anti-Lockout Rule), but it had no effect:

                  Action: Block
                  Interface: LAN1
                  TCP/IP Version: IPv4
                  Protocol: any
                  Source: LAN2 net
                  Destination: LAN1 net

                  If this rule should block packets comming from hosts at LAN 2 (Source: LAN2 net) you have to select LAN2 at interface (Choose on which interface packets must come in to match this rule.).

                  Instead of this additional block rule, you could also modify the "allow to any" rule to allow packets to anywhere but the other LAN. E.g. for LAN2 interface select at destination "not" and at type select "LAN1 net".

                  lol, this was a concept that I was just totally missing. I was thinking of things completely backwards. Thanks.

                  pfSense 2.4.3-RELEASE (amd64) installed to PC on Samsung 860 EVO mSATA 256 GB SSD with Supermicro X11SBA-LN4F, Intel Pentium N3700, 4 GB RAM, 4 mobo 10/100/1000, 1 PCIe 10/100/1000 x4 NIC (HP NC364T), and APC Smart-UPS SMT1500.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.