Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Separate Network

    Scheduled Pinned Locked Moved Routing and Multi WAN
    25 Posts 6 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      doktornotor Banned
      last edited by

      Looks good. You can make ports alias (like, ManagementPorts or whatever) for 22+80+443 and make the first 3 rules into a single one.

      1 Reply Last reply Reply Quote 0
      • D Offline
        ditrone
        last edited by

        @doktornotor:

        Looks good. You can make ports alias (like, ManagementPorts or whatever) for 22+80+443 and make the first 3 rules into a single one.

        Excellent i was wondering how to add multiple ports to a firewall rule. 
        Using alliases might help with ram and swap consumption as well.
        Currently swap is 
        60% of 1024 MB
        and ram is
        65% of 467 MB

        Here is how i have it now and it is working fine.

        ![Screenshot - 06072015 - 05:30:06 PM.png](/public/imported_attachments/1/Screenshot - 06072015 - 05:30:06 PM.png)
        ![Screenshot - 06072015 - 05:30:06 PM.png_thumb](/public/imported_attachments/1/Screenshot - 06072015 - 05:30:06 PM.png_thumb)

        1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate
          last edited by

          If you want them to be able to ping and do dns lookups, I don't see why you wouldn't pass those then block everything else.  It's more sound firewall rule design.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • D Offline
            ditrone
            last edited by

            @Derelict:

            If you want them to be able to ping and do dns lookups, I don't see why you wouldn't pass those then block everything else.  It's more sound firewall rule design.

            I tried blocking all rfc1918 traffic on the interface but i can't seem to move that rule below the rules allowing dns.
            captive portal stops working. well captive portal works but dns doesnt.
            when you say " It's more sound firewall rule design." what do you mean?

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by

              Pass what you need them to have access to and block everything else.  The way you're doing it if you start another service on the firewall, change your webgui port, etc you have to remember to specifically block it.

              You need to add things like DNS servers to your captive portal allowed IP addresses in addition to passing the DNS traffic in the regular firewall.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.