Security Gateway Manual Netgate-2100
12.6.2 Isolated
In an isolated local network, hosts on the network cannot contact hosts on other networks unless explicitly allowed
in the rules. Hosts can still contact the Internet as needed in this example, but that can also be restricted by more
complicated rules.
This scenario is common for locked down networks such as for IOT devices, a DMZ with public services, untrusted
Guest/BYOD networks, and other similar scenarios.
Warning: Do not rely on tricks such as using policy routing to isolate clients. A full set of reject rules as described
in this example are the best practice.
Create RFC1918 alias or alias containing at least the local/private networks on this firewall, such as VPNs. Using all
of the RFC1918 networks is a safer practice
• Navigate to Firewall > Aliases
• Click Add
• Configure it as follows:
Name PrivateNets
Description Private Networks
Type Network(s)
• Add entries for:
– 192.168.0.0/16
– 172.16.0.0/12
– 10.0.0.0/8
• Click Save
• Navigate to Firewall > Rules, on the OPTx tab (or the custom name)
Add rule to pass DNS to firewall (or other DNS servers)
• Click to add a new rule at the bottom of the list.
• Configure the rule as follows:
Action Pass
Interface OPTx (or the custom name)
Protocol TCP/UDP
Source OPTx Net (or the custom name)
Destination This Firewall (self)
If clients are to use DNS servers other than the firewall, use those as the destination instead.
Destination Port Range DNS, or choose Other and enter 53
To allow DNS over TLS as well, add another rule for DNS over TLS or port 853.
© Copyright 2023 Rubicon Communications LLC 64
To Next Page
Loading...
