pfSense Gold Subscription

Author Topic: Create a guest network with VLAN tag 1003  (Read 826 times)

0 Members and 1 Guest are viewing this topic.

Offline wgstarks

  • Jr. Member
  • **
  • Posts: 67
  • Karma: +0/-0
    • View Profile
Re: Create a guest network with VLAN tag 1003
« Reply #30 on: January 02, 2018, 06:50:47 pm »
Think I've got everything working now. Thanks @Derelict. Guest network has access to DHCP Server and WAN but no access to firewall or LAN (only other local network currently).

The firewall rules may need some tweaking. Any advice? I checked pinging, that works.




Edit: Caught my mistake with the "Block LAN Access" rule order. It's now one above "Allow Any".
« Last Edit: January 02, 2018, 07:16:12 pm by wgstarks »
pfSense vs 2.4.2_1
Box: Minisys IBOX-501 N10E
CPU: Intel Atom E3845
NIC: Intel WG82583 1000M x 4
RAM: 8GB

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9559
  • Karma: +1083/-309
    • View Profile
Re: Create a guest network with VLAN tag 1003
« Reply #31 on: January 02, 2018, 10:46:43 pm »
Your Allow any rule will pass all traffic and nothing below it will have any effect.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline wgstarks

  • Jr. Member
  • **
  • Posts: 67
  • Karma: +0/-0
    • View Profile
Re: Create a guest network with VLAN tag 1003
« Reply #32 on: January 03, 2018, 06:59:10 am »
Your Allow any rule will pass all traffic and nothing below it will have any effect.
Are you saying I should modify ďallow anyĒ or delete the rules below it? Or both?
pfSense vs 2.4.2_1
Box: Minisys IBOX-501 N10E
CPU: Intel Atom E3845
NIC: Intel WG82583 1000M x 4
RAM: 8GB

Online johnpoz

  • Hero Member
  • *****
  • Posts: 14732
  • Karma: +1370/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Create a guest network with VLAN tag 1003
« Reply #33 on: January 03, 2018, 07:05:42 am »
What he is saying is rules are evaluated top down, first rule to trigger wins - no other rules are evaluated.

Anything below an any any allow is pointless since no traffic will ever make it to that rule since the any any allow will pass the traffic.  You need to place your rules in the correct order top down so they evaluate how you want them to evaluate.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline wgstarks

  • Jr. Member
  • **
  • Posts: 67
  • Karma: +0/-0
    • View Profile
Re: Create a guest network with VLAN tag 1003
« Reply #34 on: January 03, 2018, 07:23:49 am »
Thanks. Actually, I understood that. Should have been more specific.

I can see that the default block rules arenít going to do anything. If I move the any-any rule below them then it wonít do anything. Since Iím a noob at this, Iím not sure if I should modify the any-any rule or just delete the default block rules? My intent with this rule is to allow unlimited acces to the internet.
pfSense vs 2.4.2_1
Box: Minisys IBOX-501 N10E
CPU: Intel Atom E3845
NIC: Intel WG82583 1000M x 4
RAM: 8GB

Online johnpoz

  • Hero Member
  • *****
  • Posts: 14732
  • Karma: +1370/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Create a guest network with VLAN tag 1003
« Reply #35 on: January 03, 2018, 07:32:26 am »
there is a default deny rule anyway.. There is no reason to create your own rule unless have turned off logging of the default rule and would still like to log stuff that makes it through your rules that you block that meet some specific criteria you setup in the block rule that would be different than default deny, etc.  Or if you only want to log stuff on specific lan side interfaces and have turned off the logging of the default deny rule that is on all interfaces.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)