The rules are the easy part. I had to do a similar thing for a pfSense box that had 4 interfaces. I'm just going to share my advice now, but you'll need to get the subnetting figured out before you can add these rules.
One the LAN2 interface, create a block rule that goes at the very top of the rules list that prevents any connection originating in LAN2 from connecting to LAN1. Then after that you can have the standard "LAN2 -> any" rule and everything should work as expected. On the LAN1 interface, you shouldn't have to add any rules except the default "LAN -> any" rule. I understand I may have misunderstood your needs, but as I understand them, that is the rule set-up you will want. It should still allow LAN1 to print to a printer on LAN2, but not allow LAN2 to access LAN1. ----- Original Message ----- From: "Tortise" <[email protected]> To: <[email protected]> Sent: Saturday, February 28, 2009 12:53 AM Subject: Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) > Hi Adrian > > Thank you so much for your response. > > I think those numbers do have something to do with it, as when I enable OPT1 I loose the webserver's access and have to reset to a > default and start over.... (I hate that!) > > I have since tried configuring as: > LAN1: 10.aaa.bbb.ccc/8 > LAN2: 10.(aaa+1).bbb.ccc/9 > > I presume I have still got it wrong. > > I want to keep LAN1's IP numbers as it is, as there a number of Static DHCP assignments all set, for LAN2 I don't really care what > this is, and I can't imagine needing more than 20 addresses on LAN2, which may be relevant. Can you suggest further? (Of course > they can be changed if necessary....) > > Also I assume I will need to do some LAN2 rules to 1) give access to the Internet > and LAN1 rules to gain access to LAN2 however the devil may be lying in the detail to do that... > > Still as you say we need to get LAN2 working for a start. > > Kind regards > David > > > ----- Original Message ----- > From: "Adrian Wenzel" <[email protected]> > To: <[email protected]> > Sent: Saturday, February 28, 2009 7:05 PM > Subject: Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) > > > > Hello, > > So, it seems you are configuring as such: > > LAN1: 10.aaa.bbb.ccc/8 > > LAN2: 10.xxx.yyy.zzz/8 > > This is not right, since /8 means a netmask of 255.0.0.0, making the network portion of each subnet only the first octet... thus the > same subnet. Two devices with configured with the same subnet, and on two different physical networks will not work. > > You should try a netmask of 255.128.0.0, or /9 (assuming you really need all those IPs on each network). That will correct > differentiate the subnets and allow routing to occur ;) > > We can get into separating your LANs to disallow your desired access after this is working. > > Thanks, > Adrian > > > ----- Original Message ----- > From: "Tortise" <[email protected]> > To: [email protected] > Sent: Saturday, February 28, 2009 12:05:17 AM GMT -05:00 US/Canada Eastern > Subject: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) > > Hi > > I have been trying to setup a WAN and two LAN. (3 NIC's) > > I want LAN1 to be able to access LAN2 but not the other way around. The idea is that LAN1 is less public than LAN2. > > i.e. visitors can connect to the "Public" LAN2 and browse the Internet etc while not having any access to LAN1 > > LAN 2 will have a LAN printer on it, as an example, which can receive print jobs from both LAN1 and LAN2. > > WAN is a static IP to Cable. > > LAN1 is using 10.xxx.yyy.zzz 8 and OPT was intended to use 10.aaa.bbb.ccc 8 however enabling this seems to make it all fall over, ie > I lose Internet connection from LAN things become unresponsive. > > As an aside I tried editing /conf/config.xml however it would not save from the terminal window, does one have rights to edit the > config there? I was using the ee editor. > > Has anyone done this sort of thing and what am I missing to get it working? > > In anticipation many thanks indeed. > > Kind regards > David > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > Commercial support available - https://portal.pfsense.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > Commercial support available - https://portal.pfsense.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > Commercial support available - https://portal.pfsense.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
