2 lans block local traffic between lans



  • I have 2 lans setup on my pfsense box, i live in a 4 plex and 2 of my buddies live in the same building and i letting them use my internet.

    my question is i have all my network stuff on one adapter with subnet x.x.1.1 they are on another adapter with x.x.0.1, I have my file server and my box for my ip cams recording on my network. I can ping anything on their network from my network and from theirs i can ping my x.x.1.1 web gui but not any other network devices on my network.

    I would like to block any traffic between both lan interfaces but keep internet traffic of course and also block their access to the pfsense web gui on either subnet from the x.x.0.1 subnet

    i tried for a while to research how to do this, seen a few post but i was pretty confused..

    if someone could help me out would be much appreciated. :) sorry if i missed something im still new to the pfsense world and still lots to learn

    also sorry if this is in the wrong area



  • You have to edit your firewall rules on both interfaces. Firewall > Rules
    By default pfSense has an allow any to any rule on LAN interface. For the second LAN you will have added this rule manually.

    Since pfSense only permits access which is explicitly allowed by rules, you just have to change the rule to permit all other destinations, but not the other LAN.
    Go to the LAN tab, edit the any to any rule by clicking the "e" at the right. At destination check "not" and select the other LAN from the dropdown underneath and save it. Do the same on the other LAN tab.

    To prevent access to the web GUI from x.x.0.1 add a rule to this interface by clicking the upper +.
    At action select Block
    Protocol: any
    Source: any
    Destination: the correspondent LAN interface address
    Give it a description and save it. Click apply changes.
    Ensure that the rule is on the top of the rule set.



  • thank you for the reply ive been busy, so im hopefully gonna get to try this out tonight

    i will return and let u know how it went,

    thank you



  • @viragomann:

    You have to edit your firewall rules on both interfaces. Firewall > Rules
    By default pfSense has an allow any to any rule on LAN interface. For the second LAN you will have added this rule manually.

    Since pfSense only permits access which is explicitly allowed by rules, you just have to change the rule to permit all other destinations, but not the other LAN.
    Go to the LAN tab, edit the any to any rule by clicking the "e" at the right. At destination check "not" and select the other LAN from the dropdown underneath and save it. Do the same on the other LAN tab.

    To prevent access to the web GUI from x.x.0.1 add a rule to this interface by clicking the upper +.
    At action select Block
    Protocol: any
    Source: any
    Destination: the correspondent LAN interface address
    Give it a description and save it. Click apply changes.
    Ensure that the rule is on the top of the rule set.

    alright so i have tried this, and the block traffic rule work on the x.x.1.1 interface which blocks traffic to x.x.0.1, but doesn't work on the x.x.0.1 interface back to the x.x.1.1 interface
    also the block gui rule block all http traffic

    so im still kinda lost here

    x.x.1.1 is my interface
    x.x.0.1 is the other interface



  • Please post your rules of both LANs and also the floating rules, if there is anyone.

    @ryley_999:

    also the block gui rule block all http traffic

    It should block any access to the pfSense interface, internet access should not be blocked by this.
    If you just want to block WebGUI select TCP protocol and the specific destination port.



  • @viragomann:

    Please post your rules of both LANs and also the floating rules, if there is anyone.

    @ryley_999:

    also the block gui rule block all http traffic

    It should block any access to the pfSense interface, internet access should not be blocked by this.
    If you just want to block WebGUI select TCP protocol and the specific destination port.

    my current rules without the setting that were suggested.





  • Rebel Alliance Global Moderator

    Rules go down from the top, first rule to trigger fires and no other rules are used..  So lets look at my dmz rules as example, it allows internet access, allows to ping the pfsense interface to validate connectivity, use pfsense for dns but nothing else other than internet.

    I have a alias that has the rfc1918 networks in it (10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12) and also have a alias that has my local ipv6 segments on it..  These are global addresses, not link local..

    So 1st 2 rules allow ipv4 and ipv6 to ping the dmz pfsense interface in my case 192.168.3.253
    Next rules allows them to talk pfsense on its dmz interace for dns both ipv4 and ipv6
    Next 2 rules block access to any other pfsense address be it wan, lan ipv4 or ipv6 - this will block them out of the web gui, this blocks them out of ssh, this blocks them out of UPnP, anything else other than ping and dns to the firewall addresses that was allowed above these rules.

    Next rules allows them to go anywhere they want that is not, that is the ! rfc1918 address space – so internet is fine for anything, but nothing local.
    Next rule is the same but says hey you can go anywhere you want via ipv6 as long as its not any of my local ipv6 addresses, this is the alias that contains all my other ipv6 segments.

    Doing sim rules would lock that lan to just the internet, you would want to put your limiter rule on the rules you want to limit their bandwidth on.. Most likely the last 2 that allow them to go to the internet on ipv4 or ipv6.




  • You need to create four rules at a minimum and place them at the top of  your list.

    On your LAN interface:
    Block ipv4/ipv6 any from MYNETWORK net to OTHERAPARTMENTS Net.

    On your OPT1 interface:
    Block ipv4/ipv6 any from OTHERAPARTMENTS Net to MYNETWORK Net
    Block ipv4/ipv6 TCP/UDP from any to This Firewall Port 80
    Block ipv4/ipv6 TCP/UDP from any to This Firewall Port 443
    Block ipv4/ipv6 TCP/UDP from any to This Firewall Port 22

    While this will do the trick, it's not deal as your current rules are default allow (ie you allow traffic to everywhere unless it's specifically blocked). This allows anyone on OPT1 to access any port on the firewall by default which is not ideal.

    It would be preferable to change the current rules on OPT1 to specify your WAN gateway under the advanced options for these rules and then add allow rules above those two rules for each service on your firewall that you want accessible from OPT1 (ie DNS, DHCP, NTP, proxy, etc.). This will be a bit more complex to set up and you'll need to monitor your firewall logs to troubleshoot any connection issues.



  • ok ill try this out,  haven't had much time to mess around with it lately, other suggestions i received didn't work