Pfsense firewall rules for Synology with two lan ports

Finally got Pfsense up and running on a 4 port Protecli box after a few glitches. After watching the video on home network setup I was curious about the rules that were set up in the Synology to limit access. I see that your Nas has four ports while I only have two, so that limits some flexibility. I now have lan1 on the Nas on the subnet of the Pfsense Lan. lan 2 on the Nas is on the Pfsense Opt1 subnet which is more locked down with limited number of workstations. I’d like to allow Lan to access the Nas for file shares but be unable to log into the management interface. On Opt1, I want to have full access to lan2 on the Nas with management access. I’m wondering if I could create a Vlan on the Nas to access Opt2 on the firewall as a private network?


Do you need to have the NAS connected directly to PFsense? If you have switch, probably it is better for you to connect your NAS on a switch rather connecting it to PFsense directly.

Also you don’t need to connect both interface, On synology, applications uses its own ports so if you needed only for a specific application (example admin web interface, synology photo) to be accessible you can create a firewall rule to only allow those application to be accessible and block the rest.

I’d say you need to create your vlans on your switch and pfSense, then set up your interfaces on your NAS accordingly. Your rules on pfsense will determine what can be seen and your user access rules on NAS will determine what they can do.

Thanks for the replies. I was a little unclear in my post. Both lan ports on the Synology are connected to different switches. One switch is Lan only, the other switch is Opt1 only. So the respective lans on the Synology are connected to the two switches. I was trying to achieve what Tom did on his Synology by having an isolated subnet for his cameras etc, even though I only have two lan ports. I’ll just have to be careful with my firewall rules on the Nas and Pfsense.
Thanks again.