Blocking default LAN from accessing VLAN

I’m very new to pfSense. I’ve searched here but didn’t find an answer to my question.

I just set up a Netgate 2100 per the documentation including a VLAN tagged 4084 for a guest Wi-Fi on Port 4 of the internal switch. Created the rules per the documentation and everything works great.

I then created another VLAN tagged 4083, same set of rules as the first and put it on Port 3. This is patched to a switch that has a NAS and a PC. They connect to each other and the internet.

What I don’t understand is how to block devices on the default LAN from accessing my VLAN 4083 devices, the NAS and PC.

I’ve read the rules documentation repeatedly but I don’t get it, yet.

Any assistance would be appreciated.

Get rid of your last rule, set the second to last rule to allow and set a reverse on the RFC1918 so it looks like !RFC1918.

Then your rule is saying allow everything that is NOT RFC1918.


Looking at the rest of your rules and they don’t look right. You don’t block or allow “This firewall” you do this by the interface address or by the interface net. Look at this example.

  1. Blocks all DNS traffic that is NOT my GUEST address (interface)
  2. Allows GUEST subnet to GUEST address for DNS
  3. Allow Guest net to everything that is NOT RFC1918

Thanks for the reply.

Your suggestions contradict the pfSense documentation I followed step by step here.

I didn’t necessarily contradict the documentation. I accomplished the same result with fewer rules. “This Firewall” is an alias for all the interface IP’s (ie. WAN, LAN, OPT and so on). So I literally block that already in the RFC1918 alias with my last rule.

OK. I see what you’re saying. I’m stuck in a meeting right now but will try this on the second port of the 2100 which is still open.

Thanks !