Re: AW: [pfSense Support] new user... need help with Rules

Wed, 28 Feb 2007 22:37:19 -0800 

AHA!

Holger, Espen, Thank you.
Holger, apologies - I had that first rule that passed LAN2 Traffic to WAN and everything else... I didn't realize it was working against me. Now I realize that I only need two rules on the LAN2 net to do what I was aiming for. 

Success.

Mahalo,
Jeremy

On Feb 28, 2007, at 11:51 AM, Espen Johansen wrote:


This is how I deal with wireless to internet acess but not lan.

add a rule that says:
Pass WLAN-subnet to destination NOT (!) LAN
(meaning if it's not rying to acess lan then it's all good)
You can also add rules to drop connections from WLAN clients to
destination firewall when port is 80/22 (GUI/ssh) etc.
Then VPN into the firewall from WLAN zone to acess LAN.

-lsf

On 2/28/07, Jeremy Bennett <[EMAIL PROTECTED]> wrote:

In review, I'd like to grant full access to the internet for all
computers on LAN (private, wired, my machines) and LAN2 (wireless
segment - friends, families, neighbors). I'd like to make LAN
invisible as far as LAN2 is concerned, yet allow my laptop to access
LAN when it is attached to LAN2 wirelessly.

I may not have been totally clear... I still need my LAN2 to see the
internet, so the first rule WAS:
PASS | Proto: * | Source: LAN2 net | Port: * | Destination: * | Port:
* | Gateway: *

So I changed it as such

PASS | Proto: * | Source: * | Port: * | Destination: WAN address |
Port: * | Gateway: * (Pass LAN2 to wan)
PASS | Proto: * | Source: 192.168.12.99 | Port: * | Destination: * |
Port: * | Gateway: * (Pass Powerbook to LAN)
PASS | Proto: * | Source: LAN2 net | Port: * | Destination: ! LAN net
| Port: * | Gateway: * (Block LAN2 from LAN)

It seems to work...

Have I introduced any sort of horrible security issue by doing this?

Thanks for the help.


>
>
> On Feb 26, 2007, at 1:13 AM, Holger Bauer wrote:
>
>> First create a DHCP-server fort he LAN2 segment at services|
>> dhcpserver|lan2-tab and add a static mapping for the mac of your
>> notebook.
>>
>> Then go to firewall|rules|lan2tab
>> Add a rule: pass, protocol any, source (IP of notebook),
>> destination any, gateway default
>>
>> Below this add a rule: pass protocol any, source lan2 net,
>> destination NOT LAN, gateway default
>>
>> That's all that is needed.
>>
>> Holger
>>
>> -----Ursprüngliche Nachricht-----
>> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
>> Gesendet: Montag, 26. Februar 2007 10:39
>> An: [email protected]
>> Betreff: [pfSense Support] new user... need help with Rules
>>
>> I have pFsense 1.0.1, with a WAN, LAN and LAN2. The WAN gets an
>> address
>> via DHCP from local cable provider. LAN (192.168.12.1) is my (soon
>> to be)
>> private network, and LAN2 (192.168.12.1) has a couple of wireless
>> bridges|APs at 192.168.12.253 & 254. What I need to do is create a
>> rule
>> that blocks traffic between LAN2 and LAN, yet still allows my laptop 
>> (192.168.12.99, assigned via MAC|static) to access LAN while
>> wirelessly
>> connected to LAN2. Any help or guidance on this is much appreciated. 
>>
>> Mahalo,
>> Jeremy
>>
>>
>> --------------------------------------------------------------------- 
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>> --------------------------------------------------------------------- 
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>
>
> --------------------------------------------------------------------- 
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to