Netgate SG-1000 microFirewall

Author Topic: Simplest way to block OPT1 accessing LAN yet allow 2 devices on OPT1 access  (Read 220 times)

0 Members and 1 Guest are viewing this topic.

Offline yea

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Hi

I have OPT1 connected to an AP on 172.20.1.x
I have LAN on 192.168.0.x

I want to block all on OPT1 accessing the LAN net, except for 2 devices which should only be able to connect to one IP on the LAN net and to a specific port.

1) I have created a rule on OPT1 blocking OPT1 net from accessing LAN net.

2) I also have another rule on OPT1 saying "alias of the 2 devices on OPT1" allow "LAN device ip alias" "LAN device port alias".

Can I order the rules in such a way as to block all traffic to LAN (1), and have my other rule (2) work? Or does the block rule overrule the allow rule?

If not, is there a simple way to achieve what I'm after?

Hope that all makes sense.

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8553
  • Karma: +956/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Simplest way to block OPT1 accessing LAN yet allow 2 devices on OPT1 access
« Reply #1 on: September 13, 2017, 10:02:00 am »
Rules are top down, first match wins.
Do NOT PM for help!

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14265
  • Karma: +1329/-191
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Simplest way to block OPT1 accessing LAN yet allow 2 devices on OPT1 access
« Reply #2 on: September 13, 2017, 10:49:44 am »
Post up your rules on your opt interface.. But dok is correct rules are evaluated as traffic enters an interface.  Top down, first rule to trigger wins no other rules are evaluated.

If you need a picture I can post..  But this is really drop dead simple.

If your top rule on opt is block, then your 2nd rule to allow would never be evaluated.  Put your rule above that allows your specific IPs to go to lan, then below put your block if you want.  Since there is a default deny there really is no need for the block rule at all.  All interfaces have a default deny (not shown in the gui) that would block all traffic that is not allowed.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.1-RELEASE on VM esxi 6.5 (home)

Offline yea

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Simplest way to block OPT1 accessing LAN yet allow 2 devices on OPT1 access
« Reply #3 on: September 15, 2017, 04:38:52 pm »
I apologise for the late reply, but your help has been very useful.

Thank you :)