Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Passing Traffic Between Nodes on Two Separate LANs

    Scheduled Pinned Locked Moved NAT
    4 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      battries
      last edited by

      Greetings!

      I'm new to pfSense and this forum. If an answer to this question has already been posted, please pardon my search skills and point me in the right direction. I installed pfSense yesterday, and have configured it (mostly) to replace my old router, which ran ddWRT. I have two subnets configured, 192.168.1.0/24 on LAN, and 192.168.2 0/24 on OPT1. Both are wired separately. I've added NAT rules for the second LAN to reach the internet, and it's working well. The first LAN is my home network, the second is for guests. I have a couple of networked printers on my home LAN I'd like to expose to the guest network. I really don't want my guests to have access to the other objects on my home LAN, just the printers. Does anyone know how I can accomplish this?

      Thanks in advance,
      Eric

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        First, create an alias that contains the IP addresses of all the LAN devices (eg. printers) you want the OPT1 side to be able to access.  Next, add a firewall rule on your OPT1 tab to allow traffic to the alias that you just created for your printers on LAN.  Under that, add an Allow rule for everything with a destination of !LAN.  Unless you've got something special going on, those should be the only two rules you need for OPT1.  Rules are normally processed top-down, so your first rule will allow access to the LAN devices.  The second rule allows access to everything not on LAN (WAN & OPT1 only), which gives them Internet.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Make an alias containing the printer IP addresses printer_ips
          If you don't want guests to be able to access everything on the printer (like a web interface) decide which ports you want available.

          On OPT1 do something like this:
          pass ip icmp source OPT1 network dest printer_ips  # Allow guests to ping printers
          pass ip tcp source OPT1 network dest printer_ips port 515  # Allow LPR/LPD
          pass ip tcp source OPT1 network dest printer_ips port 9100  # Allow RAW
          pass ip tcp source OPT1 network dest printer_ips port 631  # Allow IPP
          reject ip any source OPT1 network dest LAN network any # Block all other access to LAN
          pass ip any source OPT1 network dest any any  # allow internet

          You can also make a port alias for printer_ports and make just one rule.  These port numbers are just typical examples.  You might have different requirements.

          You might also have to allow access to DNS servers or something.  By default they'll use the OPT1 address and that will be allowed by the last rule.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • B
            battries
            last edited by

            KOM and Derelict,

            I added the alias and the firewall rules, and it's working beautifully. Piece of cake. I just needed a nudge in the right direction.  8)

            Thanky you!
            Eric

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.