Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block rules not applied - Segregate LAN/WAN

    Scheduled Pinned Locked Moved Routing and Multi WAN
    3 Posts 3 Posters 636 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      thomas159
      last edited by

      Hi,

      I am trying to segregate GUEST_LAN_VIP from being able to ping LAN_VIP but currently my block rules aren't working and it can ping 192.168.2.x from 172.16.1.x

      I also need it to route the traffic via WAN2, currently it's routing via WAN int1.

      Simplified Setup:
      1 server 2012 with dhcp
      1 pfsense
      2 LAN
      2 WAN

      WAN int1 x.x.x.x going to pfsense
      WAN2 int2 x.x.x.x going to pfsense
      LAN int2 192.168.2.2 going from pfsense to core switch
      GUEST_LAN int3 172.16.1.2 going from pfsense seperate switch

      LAN_VIP 192.168.2.1
      GUEST_LAN_VIP 172.16.1.1
      WAN2_VIP X.X.X.X
      (no WAN VIP)

      Outbound NAT

      WAN (Automatic any to any)

      127.0.0.0/8
      192.168.2.0/24
      172.16.1.0/24

      WAN2 (Manual NAT)

      172.16.1.0/24

      WAN int1 rules

      block * RFC 1918 networks * * * * * Block private networks

      block * Reserved/not assigned by IANA * * * * * * Block bogon networks

      IPv4 UDP x.x.x.x  * 8.8.8.8   53 (DNS) * none Easy Rule: Passed from Firewall Log View

      WAN2 int1 rules (Created a block all to test, this is not being applied as can still access internet/LAN)

      block IPv4 * * * * * * none
      IPv4 * GUEST_WIRELESS net * not 192.168.2.0/172.16.1.0 * WAN2 none

      LAN int2 rules

      IPv4 * * * * * * none Any
      IPv4 * LAN_NET * not 192.168.0.0 * WAN none Default allow LAN to any rule

      GUEST_LAN int3 rules

      • Reserved/not assigned by IANA * * * * * * Block bogon networks
      1 Reply Last reply Reply Quote 0
      • D Offline
        doktornotor Banned
        last edited by

        Dude, post screenshots. Not this broken ASCII art.

        1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator
          last edited by

          Yeah some simple screenshots would make this much easier to read.

          If you don't want guest_lan to ping lan – then rules would go on guest_lan.. From what you posted doesn't look like you have any rules on guest_lan for anything.  So it wouldn't be able to do anything at all.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.