Restricting guest LAN access to other LAN machines + routing to specific gateway



  • Hi,

    I’m fairly new to pfSense and it’s quite possible I will ask a rather stupid/easy question!

    I took the plunge to use pfSense having bought a Netgear FVS336G and realised its rubbish (very poor throughput on the lan + wan, etc.)…  The main reason for installing pfSense on the spare media pc I had around was to load balance traffic across the ADSL and 4G connections I have.

    Everything seems to be working fine with general users.  But then I’ve tried to add “guest” users to the network and restrict their access and cannot seem to achieve what I want.

    Guest users are ones which connect to my wireless network who I don’t want to be able to view the static DHCP users, with the exception of one DHCP device (printer).  Guest users should also be restricted to just the ADSL connection as the 4G connection costs more than I wish to admit!

    The DHCP server settings:

    Subnet 192.168.0.0
    Subnet mask 255.255.255.0
    Available range 192.168.0.1 - 192.168.0.254
    Range 192.168.0.200 to 192.168.0.250

    I have two gateways and three gateway groups:

    LoadBalance WAN4G_DHCP+WANADSL_DHCP
    ADSLOnly WANADSL_DHCP
    4GOnly WAN4G_DHCP

    Below are the are the firewall rules I currently have.

    (Fyi: For all users I’ve tried to send all SSL traffic and specific destination IP addresses across the ADSL - had issues if it was load balanced)

    At the moment (despite the rules below) all the guests can see all of the static DHCP clients and they don't seem to be restricted to the ADSL gateway.

    Any help, greatly appreciated

    V

    Status Proto Source Port Destination Port Gateway Description
    Allow IPv4 * LAN net * This Firewall * * Allow all to see the firewall + dhcp 
    Allow IPv4 * 192.168.0.128/26 * 192.168.0.0/25 * * Allow known hosts to all other known hosts 
    Allow IPv4 * 192.168.0.128/26 * 192.168.0.128/26 * * Allow known hosts to all other known hosts 
    Allow IPv4 * 192.168.0.0/25 * 192.168.0.0/25 * * Allow known hosts to all other known hosts 
    Allow IPv4 * 192.168.0.0/25 * 192.168.0.128/26 * * Allow known hosts to all other known hosts 
    Allow IPv4 * 192.168.0.255/26 * 192.168.0.11 * * Allow unknown hosts to print 
    Block IPv4 * 192.168.0.255/26 * 192.168.0.255/24 * * Disable unknown hosts from seeing other hosts 
    Allow IPv4 * 192.168.0.255/26 * * * ADSLOnly Unknown network guests to ADSL only 
    Block IPv4 * 192.168.0.255/26 * * * 4GOnly Unknown network guests to ADSL only 
    Allow IPv4 * * * 82.192.97.153 * 4GOnly EE Addons 
    Block IPv4 * * * 82.192.97.153 * ADSLOnly EE addons 
    Allow IPv4 * * * 192.168.2.1 * 4GOnly Allow everyone to see the 4G router 
    Allow IPv4 TCP/UDP * * * 443 (HTTPS) ADSLOnly  
    Block IPv4 TCP/UDP * * * 443 (HTTPS) 4GOnly  
    Allow IPv4 TCP/UDP * * * 993 (IMAP/S) ADSLOnly  
    Block IPv4 TCP/UDP * * * 993 (IMAP/S) 4GOnly  
    Allow IPv4 TCP/UDP * * * 995 (POP3/S) ADSLOnly  
    Block IPv4 TCP * * * 995 (POP3/S) 4GOnly  
    Allow IPv4 TCP/UDP * * * 465 (SMTP/S) ADSLOnly  
    Block IPv4 TCP/UDP * * * 465 (SMTP/S) 4GOnly  
    Allow IPv4 * * * * * LoadBalance



  • The proper way to achieve what you are trying to achieve would be to either physically segregate them to different subnets or use VLANs.


  • Netgate

    ^ This.

    You can do it with a separate NIC and AP or a single AP that supports VLAN tagging.  Or a managed switch and two APs.

    Your guests will connect to a different wireless network and will subsequently hit pfSense on a separate interface so you can firewall them separately.

    Allow  IPv4 *    192.168.0.255/26    *    192.168.0.11    *    *    Allow unknown hosts to print
    Block  IPv4 *    192.168.0.255/26    *    192.168.0.255/24    *    *    Disable unknown hosts from seeing other hosts

    You can't use pfSense to do this because this communication is all on the 192.168.0.0/24 network and doesn't even go through the router.  It's all on the LAN.  You could unplug pfSense and those hosts could still communicate.



  • Thank you azzido and Derelict - I'll go away and have another think about the network setup I have/need.