Configuring an OPT interface as an additional LAN¶
Note
By default the Netgate 2100 is not configured with OPT interfaces. To reconfigure one or more of the LAN switch ports as an OPT interface, see Switch Overview.
This guide configures an OPT port as an additional LAN type interface. These local interfaces can perform a variety of tasks, such as being a guest network, DMZ, IOT isolation, wireless segment, lab network, and more.
Configuring an additional LAN
Requirements¶
This guide assumes the underlying interface is already present (e.g. physical port, VLAN, etc).
Choose a new local subnet to use for the additional LAN type interface. This example uses
192.168.2.0/24
.
Assign the Interface¶
The first step is to assign an OPT interface.
Navigate to Interfaces > Assignments
Look at list of current assignments. If the interface in question is already assigned, there is nothing to do. Skip ahead to the interface configuration.
Pick an available interface in Available network ports
If there are no available interfaces, then one may need to be setup in some other way (e.g. VLANs).
Click
Add
The firewall will assign the next available OPT interface number corresponding to the internal interface designation. For example, if there are no current OPT interfaces, the new interface will be OPT1. The next will be OPT2, and so on.
Note
As this guide does not know what that number will be on a given configuration, it will refer to the interface generically as OPTx.
The newly assigned interface will have its own entry under the Interfaces menu and elsewhere in the GUI.
Interface Configuration¶
The new interface must be enabled and configured.
Navigate to Interfaces > OPTx
Check Enable interface
Set custom name in the Description, e.g.
GUESTS
,DMZ
, etc.Set the IP address and CIDR mask for the new LAN
For this example,
192.168.2.1/24
.Do not add or choose a gateway
Uncheck Block private networks
This interface is a private network, this option would prevent it from functioning.
Uncheck Block bogon networks
The rules on this interface should only allow traffic from the subnet on the interface, making this option unnecessary.
Click Save
Click Apply Changes
The lack of a selected gateway in the interface configuration causes the firewall to treat the interface as a LAN type interface.
The firewall uses LAN type interfaces as sources of outbound NAT traffic but does not apply outbound NAT on traffic exiting a LAN. The firewall does not add any extra properties on firewall rules to influence traffic behavior. The DNS Resolver will accept queries from clients on LAN type interfaces.
See also
DHCP Server¶
Next, configure DHCP service for this local interface. This is a convenient and easy way assign addresses for clients on the interface, but is optional if clients will be statically addressed instead.
Navigate to Services > DHCP Server, OPTx tab (Or the custom name)
Check Enable
Configure the Range, e.g. from
192.168.2.100
to192.168.2.199
This sets the lower (From) and upper (To) bound of automatic addresses assigned to clients.
The rest can be left at defaults
Click Save
See also
Outbound NAT¶
For clients on this interface to get to the Internet from private addresses, the firewall must apply Outbound NAT for the new subnet.
Navigate to Firewall > NAT, Outbound tab
Check the current outbound NAT mode
If the mode is set to Automatic or Hybrid, then this may not need further configuration. Ensure the new LAN subnet is listed as a Source in the Automatic Rules at the bottom of the page. If so, skip ahead to the next section to configure Firewall Rules.
If the mode is set to Manual, create a new rule or set of rules to cover the new subnet.
Click
to add a new rule at the top of the list
Configure the rule as follows:
- Interface
Choose the WAN interface. If there is more than one WAN interface, add separate rules for each WAN interface.
- Address Family
IPv4
- Protocol
Any
- Source
Network, and fill in the new LAN subnet, e.g.
192.168.2.0/24
.- Destination
Any
- Translation Address
Interface Address
- Description
Text describing the rule, e.g.
Guest LAN outbound on WAN
Click Save
Click Apply Changes
Alternately, clone existing NAT rules and adjust as needed to match the new LAN.
Firewall Rules¶
By default there are no rules on the new interface, so the firewall will block all traffic. This is not ideal for a LAN as generally speaking, the LAN clients will need to contact hosts through the firewall.
Rules for this interface can be found under Firewall > Rules, on the OPTx tab (or the custom name, e.g. GUESTS).
There are two common scenarios administrators typically choose for local interfaces: Open and Isolated
Open¶
On an open LAN, hosts in that LAN are free to contact any other host through the firewall. This might be a host on the Internet, across a VPN, or on another local LAN.
In this case a simple “allow all” style rule for the interface will suffice.
Navigate to Firewall > Rules, on the OPTx tab (or the custom name)
Click
to add a new rule at the top of the list
Configure the rule as follows:
- Action
Pass
- Interface
OPTx (or the custom name) should already be set by default
- Protocol
Any
- Source
OPTx Net (or the custom name)
- Destination
Any
- Description
Text describing the rule, e.g.
Default allow all from OTPx
Click Save
Click Apply Changes
Add rule to pass any protocol from interface net to any destination
Isolated¶
In an isolated local network, hosts on the network cannot contact hosts on other networks unless explicitly allowed in the rules. Hosts can still contact the Internet as needed in this example, but that can also be restricted by more complicated rules.
This scenario is common for locked down networks such as for IOT devices, a DMZ with public services, untrusted Guest/BYOD networks, and other similar scenarios.
Warning
Do not rely on tricks such as using policy routing to isolate clients. A full set of reject rules as described in this example are the best practice.
Create RFC1918 alias or alias containing at least the local/private networks on this firewall, such as VPNs. Using all of the RFC1918 networks is a safer practice
Navigate to Firewall > Aliases
Click
Add
Configure it as follows:
- Name
PrivateNets
- Description
Private Networks
- Type
Network(s)
Add entries for:
192.168.0.0/16
172.16.0.0/12
10.0.0.0/8
Click Save
Navigate to Firewall > Rules, on the OPTx tab (or the custom name)
Add rule to pass DNS to firewall (or other DNS servers)
Click
to add a new rule at the bottom of the list.
Configure the rule as follows:
- Action
Pass
- Interface
OPTx (or the custom name)
- Protocol
TCP/UDP
- Source
OPTx Net (or the custom name)
- Destination
This Firewall (self)
If clients are to use DNS servers other than the firewall, use those as the destination instead.
- Destination Port Range
DNS, or choose Other and enter
53
To allow DNS over TLS as well, add another rule for DNS over TLS or port
853
.- Description
Text describing the rule, e.g.
Allow clients to resolve DNS through the firewall
Click Save
Add rule to pass ICMP to firewall
Click
to add a new rule at the bottom of the list.
Configure the rule as follows:
- Action
Pass
- Interface
OPTx (or the custom name)
- Protocol
ICMP
- ICMP Subtype
Any is OK in this case, ICMP is useful but some people prefer to limit to Echo Request only to allow ping and nothing else.
- Source
OPTx Net (or the custom name)
- Destination
This Firewall (self)
- Description
Allow client ICMP to the firewall
Click Save
Add rule to reject any other traffic to firewall
Click
to add a new rule at the bottom of the list.
Configure the rule as follows:
- Action
Reject
- Interface
OPTx (or the custom name)
- Protocol
Any
- Source
Any
- Destination
This Firewall (self)
- Description
Reject all other traffic to the firewall
Click Save
Add rule to reject traffic from this network to private networks
Click
to add a new rule at the bottom of the list.
Configure the rule as follows:
- Action
Reject
- Interface
OPTx (or the custom name)
- Protocol
Any
- Source
Any
- Destination
Single Host or Alias,
PrivateNets
(the alias created earlier)- Description
Reject all other traffic to private networks
Click Save
Add rule to pass from this interface network to any destination:
Click
to add a new rule at the bottom of the list.
Configure the rule as follows:
- Action
Pass
- Interface
OPTx (or the custom name)
- Protocol
Any
- Source
OPTx Net (or the custom name)
- Destination
Any
- Description
Default allow all from OTPx
Click Save
With the rules all in place, now click Apply Changes to finish and activate the new rules.
After the configuration, the rules should look like the following figure:

Example firewall rules for isolated LAN type segment¶
Tip
Rule separators are useful for documenting a ruleset in place.
Similar to the isolated network, it’s also possible to be much more strict with rules to only allow specific outbound ports. When creating this type of configuration,
Other Services¶
In most cases the above configuration is sufficient and clients on the new LAN can now obtain an address and get out to the Internet. However, there may be other custom settings which need accounted for when adding a new local interface:
If the DNS resolver has specific interface bindings, add the new interface to the list.
If using ALTQ traffic shaping, re-run the shaper wizard to include this new LAN type interface.
Consider using captive portal to control access the interface