Block access to other internal LAN

  • Hi all,

    my Pfsense has many interfaces.
    each LAN, act as a DMZ, and must not have access to other DMZ but must have access to Internet.

    the default rules on each DMZ allow traffic any to any.

    I'm searching to add a rules to block traffic between each DMZ with one rule (floating rules ?).

    Thanks for your help,

  • Make an alias that covers all the subnets of your DMZs (or the whole of RFC1918 private address space).
    Put a floating block rule for source that_alias destination that_alias.

    Note that this will also block a DMZnet from accessing its gateway on pfSense for stuff like ping or the webGUI. If you want that access then you can put pass rule/s at the top like:
    Pass ICMP source that_alias destination "This firewall"

  • LAYER 8 Global Moderator

    So as suggested created an alias that contains the rules you want to block.  Then create rules that you want access to pfsense like ping or dns.  Then block access rule to your alias, and then allow to anything else..  My best example would be my wlan guest network, or my dmz segment

  • Thanks for the example johnpoz!

    Would you mind posting up the "Anywhere but local" rule example?

    I have mine split into 2 separate rules and would like to know for educational purposes. Thx!

  • Banned


    Would you mind posting up the "Anywhere but local" rule example?

    You cannot see the pictures?  :o ???

  • Actually, youre right, all the info I need is right in front of my face!


  • Thks all, it's perfect  :)

  • LAYER 8 Global Moderator

    You do get that the ! is not, so rule reads allow if your not going to anything in that alias.  If you were going to one of those networks then you would get blocked by the default block.

Log in to reply