Passing Traffic Between Nodes on Two Separate LANs

  • Greetings!

    I'm new to pfSense and this forum. If an answer to this question has already been posted, please pardon my search skills and point me in the right direction. I installed pfSense yesterday, and have configured it (mostly) to replace my old router, which ran ddWRT. I have two subnets configured, on LAN, and 192.168.2 0/24 on OPT1. Both are wired separately. I've added NAT rules for the second LAN to reach the internet, and it's working well. The first LAN is my home network, the second is for guests. I have a couple of networked printers on my home LAN I'd like to expose to the guest network. I really don't want my guests to have access to the other objects on my home LAN, just the printers. Does anyone know how I can accomplish this?

    Thanks in advance,

  • First, create an alias that contains the IP addresses of all the LAN devices (eg. printers) you want the OPT1 side to be able to access.  Next, add a firewall rule on your OPT1 tab to allow traffic to the alias that you just created for your printers on LAN.  Under that, add an Allow rule for everything with a destination of !LAN.  Unless you've got something special going on, those should be the only two rules you need for OPT1.  Rules are normally processed top-down, so your first rule will allow access to the LAN devices.  The second rule allows access to everything not on LAN (WAN & OPT1 only), which gives them Internet.

  • LAYER 8 Netgate

    Make an alias containing the printer IP addresses printer_ips
    If you don't want guests to be able to access everything on the printer (like a web interface) decide which ports you want available.

    On OPT1 do something like this:
    pass ip icmp source OPT1 network dest printer_ips  # Allow guests to ping printers
    pass ip tcp source OPT1 network dest printer_ips port 515  # Allow LPR/LPD
    pass ip tcp source OPT1 network dest printer_ips port 9100  # Allow RAW
    pass ip tcp source OPT1 network dest printer_ips port 631  # Allow IPP
    reject ip any source OPT1 network dest LAN network any # Block all other access to LAN
    pass ip any source OPT1 network dest any any  # allow internet

    You can also make a port alias for printer_ports and make just one rule.  These port numbers are just typical examples.  You might have different requirements.

    You might also have to allow access to DNS servers or something.  By default they'll use the OPT1 address and that will be allowed by the last rule.

  • KOM and Derelict,

    I added the alias and the firewall rules, and it's working beautifully. Piece of cake. I just needed a nudge in the right direction.  8)

    Thanky you!

Log in to reply