Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Stupid question on firewall rule

    Scheduled Pinned Locked Moved Firewalling
    9 Posts 3 Posters 654 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      planetinse
      last edited by planetinse

      When in source select ie. "LAN net"

      Is that the physical network on that port (interface) and all traffic there - or is it the configured IP stack for that configured port.

      is there any difference to select "LAN net" (that is assigned 192.168.0.1/24) or select "network" and type 192.168.0.1/24

      keyserK johnpozJ 2 Replies Last reply Reply Quote 0
      • keyserK
        keyser Rebel Alliance @planetinse
        last edited by

        @planetinse said in Stupid question on firewall rule:

        When in source select ie. "LAN net"

        Is that the physical network on that port (interface) and all traffic there - or is it the configured IP stack for that configured port.

        is there any difference to select "LAN net" (that is assigned 192.168.0.1/24) or select "network" and type 192.168.0.1/24

        LAN net is the subnet configured on the LAN interface. In your example those settings would result in the exact same rule.
        The advantage of using LAN net is that if you change your network, you do not need to change your rules.
        Important: LAN net does not include other subnets that might be reachable via a gateway on LAN and you have created routes for.

        Love the no fuss of using the official appliances :-)

        P 1 Reply Last reply Reply Quote 1
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @planetinse
          last edited by johnpoz

          @planetinse said in Stupid question on firewall rule:

          192.168.0.1/24

          Just so you know, this is not a correct representation of a network. 192.168.0.1/24 would actually be a host address. 192.168.0.0/24 would be the proper way to show the 192.168.0 network.

          When stating a network you call out the network or wire address. Which on any /24 network the last octet would be the 0.

          Lets say you had a /25 where does it split.. The 2 network or wire address would be either 192.168.0.0/25 or 192.168.0.128/24, a host would be 192.168.0.129/25 in the 2nd subnet.

          If you are using rules that call out a specific address like your 192.168.0.1/24 while it should work, it can be confusing to look at since .1 is not actually the network address of a /24..

          Looking at that it could be interpreted as the host address 192.168.0.1 with a 255.255.255.0 mask. And not an actual network address.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          P 1 Reply Last reply Reply Quote 1
          • P
            planetinse @johnpoz
            last edited by

            @johnpoz

            I know but if you do copy paste from interface section thats is what you get

            but lets say i rephrase question to write 192.168.0.0/24 vs. "LAN net" - (that is indeed a 192.168.0.0/24 network)

            do you have any ideas on the actual question?

            johnpozJ 1 Reply Last reply Reply Quote 0
            • P
              planetinse @keyser
              last edited by planetinse

              @keyser
              Technically there could be devices connected to the same physical network with (other static IP's), i wonder if there is a difference on how they would be handled.

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @planetinse
                last edited by

                @planetinse your question was already answered by @keyser if your lan is 192.168.x.0/24 there really is no difference in using "lan net" in your rules via 192.168.x.0/24

                The difference is, if you at some point change your lan net to be say 192.168.y.0/24 or 10.x.y.0/24 or 192.168.z.0/28 or whatever you don't have to worry about changing your firewall rule, the lan net variable will auto be updated to be whatever the network on the lan is.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @planetinse
                  last edited by johnpoz

                  @planetinse said in Stupid question on firewall rule:

                  connected to the same physical network with (other static IP's),

                  What does it matter if they are static or dhcp, they should still be in the the network that is on the lan. If your running a different layer 3 network on the same physical interface then you have other issues. But in that case if an IP falls outside what the actual lan net is, then yeah you would need another rule to allow for that.

                  "lan net" is whatever the actual network is on the lan interface..

                  It is not good practice to run more than 1 layer 3 network, on the same layer 2.. If you want to run multiple networks over the same physical interface you should be using vlans.. This isolates the network at layer 2.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  P 1 Reply Last reply Reply Quote 0
                  • P
                    planetinse @johnpoz
                    last edited by

                    @johnpoz
                    Thx I just want to be sure no strangers can sneak thru the rules, and tried to understand if "net" was a "wider thing" than just the assigned network, as if it was related to the physical assignment - Its clear now its not - i can see it as an predefined alias basically . - thank you for clarifying //Rickard

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @planetinse
                      last edited by

                      @planetinse as to sneak through comment.. Lets say you created a rule with say 192.168.0.0/16 and any 192.168.x.x IP would be allowed. While that might allow access to your other local networks routed through pfsense, it wouldn't allow access to the internet because of nat, pfsense would only be natting the network actually assigned to lan interface. Also return traffic wouldn't actually work anyway because if say someone used 192.168.y.100 while your lan interface was 192.168.x/24 while the client might be able to talk to pfsense IP because of its mask setting, pfsense wouldn't know to talk back because the IP is outside the scope of the interface on its lan.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      1 Reply Last reply Reply Quote 1
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.