Network/Subnet Confusion - Seperating LAN and OPT1
-
Hi,
I'm trying to block traffic between my LAN and OPT1 NICs without luck.
The rest of my setup is working really well - my servers are live to web via LAN
and I can access the web for personal use via OPT1. pfSense is awesome! :DI can calculate subnet masks, address ranges, broadcast addresses, etc,
but after reading the pfSense docs, forums, and networking guides,
I'm confused how to 'use' network addresses and subnets with pfSense interfaces
(and probably in general). I'm such a monkey!With a few words of help from someone here, I think my twisted view of how to
solve this problem and use (not use) addressing will be cleared up forever.–------------------------------
MY SETUPPhysical layout
WAN (Cable static IP) - pfSense - LAN NIC, 192.168.0.254/24 - for web servers.
- OPT1 NIC, 192.168.100.254/24 - for personal use.
Rules
WAN and NAT rules for web servers (HTTP etc) - servers are 'live' to WWW. :D
LAN rule: * LAN net * !OPT1 net * * default
OPT1 rule: * OPT1 net * !LAN net * * default - my laptop can use web. :D
AON enabled with rules for LAN and OPT1 (as per forum suggestion I read.)
Hope you can help!
-
Are you sure that you dont have other rules on LAN or OPT1?
Because with the rules you just posted you should not be able to access the other subnet.
-
the above rule works for me, in fact i figured out how to block LAN->OPT1 by following your own post (thank you btw, i was about to post the same question about an hour ago)
i have AON disabled, with no other firewall rules for LAN or OPT1. sorry i wish i could help in return other than to confirm your rules 'ought' to work.
-
Yeah the configuration as described will work. I'm guessing you must have other rules there. AON is probably not necessary, though your NAT configuration is separate and unrelated to whether or not traffic is passed.
-
I think we have the same problem.
http://forum.pfsense.org/index.php/topic,9090.0.html -
Hi,
Sorry for late reply - I don't get to my pfSense box too often to check rules.
Yep - I'm a monkey - I had my subnets round wrong way - source and destination mixed up.
Subnets are now isolated as per rules in my first post. :D
Next time I'll double check my own notes and this forum. (I'll soon have pfSense box and servers locally, which will speed my development/breaking things up!=)
Thanks for your help - these forums are prolly one of the most useful/friendly for this stuff and in general!!!
Now I just have to work out how to allow my email server (on LAN) to dish out its SSL cert without bumping off every other SSL session I try to start in web browser (on OPT1) eg other web based email, online banking sessions etc.
Must be how I set the certificate's domain?
It stopped as soon as I killed the NAT and auto-created rule for email servers SSL port (443), but now I'm without email. =)
I'd better ask this on another forum - I'm not sure I can fix this with pfSense.
If anyone has any ideas how to fix this with pfSense - just tell me, and I'll start another thread.
Thanks again!
:D