I just watched @LTS_Tom video on firewall rules at home.
I had much more rules than shown in the video so I disabled a few of them and if I don’t have a specific rule to allow DNS, my devices just lose access to the internet. In the video, Tom does not have any such rule so it must be “implicitly allowed” elsewhere…
This is one of my few annoyances with pfSense. You do need a rule to allow anything you want to allow, except DHCP. The firewall drops by default but DHCP puts in a rule that you cant see in firewall > rules when you enable it on an interface. This is confusing. Why can I view things like the anti-lockout rule but not the DHCP rule? I believe Tom has an “allow all” rule on his LAN, don’t recall the other VLANs. If you open status.php and look under the firewall-generated ruleset you can see everything it’s really doing.
Can you reference a specific time in the video? I see at about min 47 that he has a rule to block TCP port 10443 on the firewall so the admin interface cannot be accessed on the network ANOTHERLANFORGUEST. Then there is an inverse rule that references an alias. That rule says all traffic not going to the alias, which I believe just has the LAN subnet in it, is allowed. The LAN has an allow all rule. To think about this another way, the ANOTHERLANFORGUEST network can get to anywhere but the LAN and the admin TCP port. Port 53 on the ANOTHERLANFORGUEST is included in that list of places allowed. Make sense? Inverse rules are nice for blocking a bunch of access at once.
Your picture shows all TCP/UDP with a source address on the IOT net is allowed to access the IOT interface port 53. I like to use the actual IP address of the interface but that should work fine. Your picture also has an allow all rule at the end that is mislabeled “allow internet access” when in fact it allows all access to whatever makes it that far down. It looks to me like on you interface you can get to DNS, a couple of IPs and the internet.
The rule to allow the “source = IOT net” is not active on the picture and this is why I can’t access the internet because no device have DNS resolution. If I activate this rule it works.
I found a workaround: Tom creates an alias for his privte networks
In this segment, he specifically lists the existing nerworks. While what I did was to create an aliase that encompasses all RFC1918 addresses, that seems to block access to the router DNS service.
But Tom does include “192.168.55.0/24” in the “My_Pivate_IPs” alias, under which is his pfSense at 192.168.55.1".
If I disable the “Block RFC1918” rule, then DNS is resolved.
You can see at minute 41 that this is his LAN address. So ANOTHERLANFORGUEST (192.168.200.1) can access everything EXCEPT the LAN (192.168.55.0/24) via the fancy “invert match” rule with the alias, and the admin interface. Anyway, glad you figured it out.
I usually start my guest and IoT networks with a ruleset about like this where the main difference is that the guest network has layer 2 isolation turned on in Unifi.