Separate Network
- 
 And lets see your rules. attached  
 
 
 
- 
 The fourth rule in my example (This firewall) would block that. As would blocking all RFC1918, also in my example. I use the This firewall rule because it covers every interface on the node including any WANs. (Try it - bring up the webgui by accessing it from the inside using your WAN address) Pass specific local traffic (DNS and Ping) 
 Block more general local traffic (All RFC1918, This firewall, Specific local networks)
 Pass everything else (The Internet)
- 
 Yeah so your block rule stopping you from talking to lan net does not stop you from talking to pfsense interface in opt1 network. Or say your wan interface. While your allow rule allows you to go anywhere you want that did not get triggered by the block rule of lan net You could add a firewall rule dest "this firewall" that would bock you from talking to anything pfsense might be listening on - keep in mind this would prevent from even talking to dns on pfsense. Here are my rules I have set on my guestwlan - that keeps it from even using pfsense for dns and just allows ping to pfsense  
 
- 
 i added block all traffic this firewall rule at top of list on opt1 and captive portal no longer loads up. 
 looks like i blocked out dns or something. i dont understand how you can "keep users from using pfsense for dns"
 or why, i want the users to use pfsense for dns, right?
 removing this rule to get captive portal back online.
 I think i got it figured out by following the instructions mentioned above
- 
 You really ONLY want to block the management ports. Not really sure what's the goal of shooting yourself in foot with blocking all traffic!!! 
- 
 I gave you exactly what you need to do. 
- 
 Not sure what you want you want to do on your network, if you want your guests to use pfsense dns and be able to resolve your local names.. That is up to you - my guests get handed an IP and the isp dns - they are there as guests to use the internet connection. Not anything to do with my network. I let them ping their gateway as verification that hey the wireless is actually working, etc. But they have no need to use my internal dns to resolve google.com - the isp dns can do that for them, etc. What is it you want to do exactly, and then write the rules to do that.. You have been given multiple examples. 
- 
 You really ONLY want to block the management ports. Not really sure what's the goal of shooting yourself in foot with blocking all traffic!!! i dont want users on opt1 listening to lan traffic. 
- 
 i dont want users on opt1 listening to lan traffic. Huh? What? If am talking about the "This Firewall" rule. Plus, you have been given multiple solutions, really no idea what are you inventing here… 
- 
 Not sure what you want you want to do on your network, if you want your guests to use pfsense dns and be able to resolve your local names.. That is up to you - my guests get handed an IP and the isp dns - they are there as guests to use the internet connection. Not anything to do with my network. I let them ping their gateway as verification that hey the wireless is actually working, etc. But they have no need to use my internal dns to resolve google.com - the isp dns can do that for them, etc. What is it you want to do exactly, and then write the rules to do that.. You have been given multiple examples. thank you everyone for examples, i will use them. 
- 
 here is how i ended setting this up  
 
- 
 Looks good. You can make ports alias (like, ManagementPorts or whatever) for 22+80+443 and make the first 3 rules into a single one. 
- 
 Looks good. You can make ports alias (like, ManagementPorts or whatever) for 22+80+443 and make the first 3 rules into a single one. Excellent i was wondering how to add multiple ports to a firewall rule. 
 Using alliases might help with ram and swap consumption as well.
 Currently swap is
 60% of 1024 MB
 and ram is
 65% of 467 MBHere is how i have it now and it is working fine.  
 
- 
 If you want them to be able to ping and do dns lookups, I don't see why you wouldn't pass those then block everything else. It's more sound firewall rule design. 
- 
 If you want them to be able to ping and do dns lookups, I don't see why you wouldn't pass those then block everything else. It's more sound firewall rule design. I tried blocking all rfc1918 traffic on the interface but i can't seem to move that rule below the rules allowing dns. 
 captive portal stops working. well captive portal works but dns doesnt.
 when you say " It's more sound firewall rule design." what do you mean?
- 
 Pass what you need them to have access to and block everything else. The way you're doing it if you start another service on the firewall, change your webgui port, etc you have to remember to specifically block it. You need to add things like DNS servers to your captive portal allowed IP addresses in addition to passing the DNS traffic in the regular firewall. 

