Simple Question



  • I have three Ethernet interfaces on my pfsense box: one for my existing WAN, one for my existing LAN, and an (up until now) unused interface.  Suppose that I wanted to create another LAN on my unused interface that behaves just like my existing LAN, but is completely isolated from it (e.g., to host a community Wi-Fi network that is secure from my home network).  In this configuration, both LANs could access the internet with my existing WAN rules, but the two LANs would be secure from each other.  How would I do it?


  • LAYER 8 Netgate

    Firewall rules on your new interface:

    Pass the specific traffic you want them to be able to use (like DNS, perhaps)
    Block the specific traffic to things you don't want them to be able to use (Destination This Firewall, Destination LAN net)
    Pass the traffic to everything else (the internet)



  • I was kind of hoping for an answer that spelled out specific instructions.


  • LAYER 8 Netgate

    Those are specific instructions.  I can't tell you exactly what to do because I have no knowledge of your subnetting scheme, or what you actually want it to accomplish.  Every network is different.



  • Interfaces->Assign - add the OPT1
    Enable OPT1 with some other static IPv4/netmask
    Put rules on OPT1 like:
    block source any destination this firewall
    block source any destination LANnet
    pass source OPT1net destination any

    If you want to stop LAN devices reaching OPT1, then put a rule at the top of LAN to block source any destination OPT1net.


Log in to reply