Guest LAN access like Tom's Video

So I followed Tom’s intro video on pfSense carefully and I’m stuck trying to get a 2nd wifi router as a second guest LAN.

These are the steps I took:

  1. Enable 2nd interface, all traffic (not just TCP)
  2. Enable Firewall Rules to Allow all
  3. DHCP Server under my guest LAN get’s its own ip range

what am I missing?
does my OpenVPN need to be enabled for the guest interface somehow?

Plug a something into that interface and see if it get’s access that way you know if the issue is the router or pfsense settings.

I plugged the same PC that was working on the LAN port, into the guest one…

I can connect to the pfSense browser GUI, but not the outside internet. Maybe it’s the OpenVPN? Those rules are on the WAN though. And the LAN and Guest rules are just allow all, IPv4 and 6

Not sure what OpenVPN has to do with any of this. I asume you want provide internet access to visitors via the second Wi-Fi router?

If so I would do the following:

  1. Enable second interface with the following settings:
  • Description: Guest
  • IPv4 Configuration Type: Static IPv4
  • IPv4 Address:
  1. Go to Services → DHCP Server → GUEST
  • Check Enable DHCP server on GUEST interface
  • Range: From To
  1. Put your Wi-Fi router into AP mode if possible and assign a fixed IP address to it e.g, either via static DCHP on your pfSense or you could set a static IP directly in the router interface.

  2. Set a firewall rule on your LAN network to allow access to the management interface of the router / AP. (not needed if the default LAN to any rule is active)

  3. Set a firewall rule on the GUEST network to allow internet access.

Yeah so I’m stuck at step 5, allowing internet access via firewall. Can you describe how to do this please.

I can access the pfSense via Guest LAN, just not outside internet

Personally I do it like this:

  1. Create an alias for the RFC1918 address space (Private IPv4 addresses)

  1. Create a Firewall rule on the “GUEST” interface that allows any traffic to anywhere but the RFC1918 address space. This can either be done with a single “Invert match” rule like in my screenshot below. Or with two seperate rules from which the first one denies traffic from “GUEST net” to the “RFC1918” alias and the second one allows traffic from “GUEST net” to “Any”.

Note: Contrary to my screenshot, you probably don’t want to enable logging for this rule :wink:

It doesn’t work =(
I copied the IP addresses for the Alias like your text instructions, and ignored the IPs in the image. or should I have done those random IPs?

Then you basically created a “GUEST net” to “Any” rule, because if you are using my example rule, but only added to the alias, it won’t block anything. Internet should work but you also would be able to access all the other local networks.

These are not random IPs. These are the IP ranges that are reserved for private networks or Local Area Networks. Private network - Wikipedia

Basically my rule is saying. Allow traffic from “GUEST net” to all IPs except the private IP ranges which are defined in the RFC1918 alias. That way every device that is connected to the GUEST network can access any IP address in the internet but none in your local network, except for the ones that are in the GUEST subnet.

Of course, you could also add the actual subnets / IP ranges, which you are using on the other interfaces to the alias. Or you could create dedicated deny rules for each of them. But then you would have to adjust the alias or add another rule, everytime you’ are going to add a new interfaces / subnet in the future.

1 Like

@TokyoTemple pfsense takes a while to get use to. @bb77 steps ought to work, however, you may well have a config error somewhere else.

What I have/would do in your position, is start from a clean install, from there your LAN has internet access, then set up the 2nd interface for guest using the same settings as LAN but changing it for the Guest subnet.

Once both networks can reach the internet, play around with your rules, such that you LAN can see the Guest, the Guest cannot see the LAN, the Guest cannot see the pfSense GUI.

Additionally, I’d say it’s better to start off with a managed switch and plug everything into that. vLANS are the way to go, you could just start off with the LAN on pfSense, ISP vlan and Guest vlan.

It will take trial and error until it clicks, but the pfSense backup feature is pretty handy :wink:

1 Like

Ah I see. I appreciate your explanation. Can you explain the “invert match” part in the rules? It’s confusing

oh man. reinstall?! I want to cry

I got VPN on LAN working fine, just want the same thing in the next port. doesn’t have to be “guest”

By checking the “Invert match” box you invert the match. This means the rule applies to any addresses except the ones listed.

In my screenshot I “Pass” or allow all traffic from “TEST net” (Source: “TEST net”, “invert match” is unchecked) to any IP address, except the ones listed in the “RFC1918” alias. (Destination: “RFC1918”, “invert match” is checked)

Or in other words: With the “Invert match” box cecked, traffic can go anywhere except to the addresses in the RFC1918 alias. And because the RFC1918 alias has all local IP ranges listed, traffic can only go to public IP addresses, which happens to be the internet.

This is confusing. This is a firewall LAN rule, so when you say traffic, what traffic?

The traffic from the Guest Wifi port? Why would it need to be blocked from itself?

Well you posted screenshots of the setup you described earlier.

Traffic from devices that are connected to the WiFiRouter2 interface / subnet

It’s not blocked by itself, because the rule only affects traffic that is routed to other networks / subnets. Within the same subnet the rule has no effect.