Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Guest LAN - what ports to open?

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 5 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Q Offline
      q54e3w
      last edited by

      Im just in the process of creating a guest network for visitors to use. Im curious if there are any established best practices of what to open and what not too.

      currently

      I block all guest traffic from guest to my other non guest subnets
      I allow DNS (53) and NTP (123) to my router
      I allow the following ports out:
          HTTP (80 & 8080 & 443)
          SMTP (587 & 465)
          IMAP (143 & 993)
          Ephemeral (49152:65535)

      Im specifically interested to hear if I should allow DNS & NTP out but would appreciate any feedback or advice as to other services I should consider providing.

      thx!

      1 Reply Last reply Reply Quote 0
      • KOMK Offline
        KOM
        last edited by

        Are you trying to prevent them from doing something specifically?  If not, just open it up.

        1 Reply Last reply Reply Quote 0
        • Q Offline
          q54e3w
          last edited by

          actually, thats a very good point, thank you. I was stuck in the mindset of keeping ports locked down unless actually needed but you raise a good point re guests - there isn't anything I don't want them doing except hacking my personal files and photos etc so I can relax and open up for them. Appreciate the pointer, thanks

          1 Reply Last reply Reply Quote 0
          • D Offline
            doktornotor Banned
            last edited by

            I'd keep port 25 closed, though. ;)

            1 Reply Last reply Reply Quote 0
            • M Offline
              marvosa
              last edited by

              At work, this is what we're allowing on our guest network:

              TCP
              www
              https
              ftp
              smtp

              UDP
              DNS
              NTP

              Some small issues that have come from being so locked down:

              • No VPN (e.g. IPsec) connections can be made, so vendors are unable to make secure connections to their corporate offices

              • No IMAP connections can be made, .e.g. people trying to use the Gmail app from their phone/tablet are blocked

              we have some paranoid people here, but I'm with KOM, from my perspective locking down guest wireless just creates unnecessary tickets!  LoL!  I mean… it's guest... it should be isolated from your production network and throttled if it's sharing your main connection.  IMO... why create extra management overhead by locking it down and having to revisit syslogs and rules every time there's a question/issue?

              Stick it on a separate vlan/interface, throttle it and be done.  Then that's the the last you'll ever hear of it... vs. fielding questions and tickets and troubleshooting why this doesn't work and why can't we get to that, etc.

              1 Reply Last reply Reply Quote 0
              • N Offline
                NOYB
                last edited by

                LOL

                I've been employed by companies blocking everything under the sun too.  Like you they probably thought no VPN connections could be made too.  So I did VPN connection to home and used my own ISP connection for external access anyway.  And that was even on the corporate business network, not the guest network.

                If the powers that be are really concerned about guest access they should block everything and require guests to use a VPN to their own service, company, etc.  But I think the real reason isn't that they are concerned about security etc. or whatever.  But rather they are power and control freaks who need something to hang their hat on to justify their employment.  And this also allows them to snoop and collect information on/from their guests.

                1 Reply Last reply Reply Quote 0
                • KOMK Offline
                  KOM
                  last edited by

                  It also depend on what you mean by 'guests'.  Personal friends in your house, or paying customers at the villa?

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.