Block rules not applied - Segregate LAN/WAN


  • Hi,

    I am trying to segregate GUEST_LAN_VIP from being able to ping LAN_VIP but currently my block rules aren't working and it can ping 192.168.2.x from 172.16.1.x

    I also need it to route the traffic via WAN2, currently it's routing via WAN int1.

    Simplified Setup:
    1 server 2012 with dhcp
    1 pfsense
    2 LAN
    2 WAN

    WAN int1 x.x.x.x going to pfsense
    WAN2 int2 x.x.x.x going to pfsense
    LAN int2 192.168.2.2 going from pfsense to core switch
    GUEST_LAN int3 172.16.1.2 going from pfsense seperate switch

    LAN_VIP 192.168.2.1
    GUEST_LAN_VIP 172.16.1.1
    WAN2_VIP X.X.X.X
    (no WAN VIP)

    Outbound NAT

    WAN (Automatic any to any)

    127.0.0.0/8
    192.168.2.0/24
    172.16.1.0/24

    WAN2 (Manual NAT)

    172.16.1.0/24

    WAN int1 rules

    block * RFC 1918 networks * * * * * Block private networks

    block * Reserved/not assigned by IANA * * * * * * Block bogon networks

    IPv4 UDP x.x.x.x  * 8.8.8.8   53 (DNS) * none Easy Rule: Passed from Firewall Log View

    WAN2 int1 rules (Created a block all to test, this is not being applied as can still access internet/LAN)

    block IPv4 * * * * * * none
    IPv4 * GUEST_WIRELESS net * not 192.168.2.0/172.16.1.0 * WAN2 none

    LAN int2 rules

    IPv4 * * * * * * none Any
    IPv4 * LAN_NET * not 192.168.0.0 * WAN none Default allow LAN to any rule

    GUEST_LAN int3 rules

    • Reserved/not assigned by IANA * * * * * * Block bogon networks
  • Banned

    Dude, post screenshots. Not this broken ASCII art.

  • LAYER 8 Global Moderator

    Yeah some simple screenshots would make this much easier to read.

    If you don't want guest_lan to ping lan – then rules would go on guest_lan.. From what you posted doesn't look like you have any rules on guest_lan for anything.  So it wouldn't be able to do anything at all.