Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Network/Subnet Confusion - Seperating LAN and OPT1

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 5 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N Offline
      networkn__b
      last edited by

      Hi,

      I'm trying to block traffic between my LAN and OPT1 NICs without luck.

      The rest of my setup is working really well - my servers are live to web via LAN
      and I can access the web for personal use via OPT1. pfSense is awesome! :D

      I can calculate subnet masks, address ranges, broadcast addresses, etc,
      but after reading the pfSense docs, forums, and networking guides,
      I'm confused how to 'use' network addresses and subnets with pfSense interfaces
      (and probably in general). I'm such a monkey!

      With a few words of help from someone here, I think my twisted view of how to
      solve this problem and use (not use) addressing will be cleared up forever.

      –------------------------------
                MY SETUP

      Physical layout

      WAN (Cable static IP) - pfSense - LAN NIC, 192.168.0.254/24 - for web servers.

      - OPT1 NIC, 192.168.100.254/24 - for personal use.

      Rules

      WAN and NAT rules for web servers (HTTP etc) - servers are 'live' to WWW. :D

      LAN rule:    * LAN net  * !OPT1 net * * default

      OPT1 rule:  * OPT1 net * !LAN net  * * default - my laptop can use web. :D

      AON enabled with rules for LAN and OPT1 (as per forum suggestion I read.)

      Hope you can help!

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG Offline
        GruensFroeschli
        last edited by

        Are you sure that you dont have other rules on LAN or OPT1?

        Because with the rules you just posted you should not be able to access the other subnet.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • S Offline
          sentofuno
          last edited by

          the above rule works for me, in fact i figured out how to block LAN->OPT1 by following your own post (thank you btw, i was about to post the same question about an hour ago)

          i have AON disabled, with no other firewall rules for LAN or OPT1. sorry i wish i could help in return other than to confirm your rules 'ought' to work.

          pfSense 2.0-RELEASE
          Intel Atom Motherboard D525MW + PCI Intel 10/100 NIC, 4GB RAM
          Packages: squid, snort

          1 Reply Last reply Reply Quote 0
          • C Offline
            cmb
            last edited by

            Yeah the configuration as described will work. I'm guessing you must have other rules there. AON is probably not necessary, though your NAT configuration is separate and unrelated to whether or not traffic is passed.

            1 Reply Last reply Reply Quote 0
            • M Offline
              mikenl
              last edited by

              I think we have the same problem.
              http://forum.pfsense.org/index.php/topic,9090.0.html

              1 Reply Last reply Reply Quote 0
              • N Offline
                networkn__b
                last edited by

                Hi,

                Sorry for late reply - I don't get to my pfSense box too often to check rules.

                Yep - I'm a monkey - I had my subnets round wrong way - source and destination mixed up.

                Subnets are now isolated as per rules in my first post. :D

                Next time I'll double check my own notes and this forum. (I'll soon have pfSense box and servers locally, which will speed my development/breaking things up!=)

                Thanks for your help - these forums are prolly one of the most useful/friendly for this stuff and in general!!!

                Now I just have to work out how to allow my email server (on LAN) to dish out its SSL cert without bumping off every other SSL session I try to start in web browser (on OPT1) eg other web based email, online banking sessions etc.

                Must be how I set the certificate's domain?

                It stopped as soon as I killed the NAT and auto-created rule for email servers SSL port (443), but now I'm without email. =)

                I'd better ask this on another forum - I'm not sure I can fix this with pfSense.

                If anyone has any ideas how to fix this with pfSense - just tell me, and I'll start another thread.

                Thanks again!

                :D

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.