Interface Groups and dns redirect
-
Hello, I wanted to set up a redirect for all my VLANs, so I followed the guide linked below. However, I created an interface group with all the VLANs and implemented the guide on that interface group. I understand that rules are processed in the following order: floating -> interface groups -> interfaces.
Does this mean that interface groups are processed before the WAN interface? Will I encounter any issues with this guide if I use an interface group for these rules?
Could interface groups potentially lock me out of the firewall?
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html
-
@CatSpecial202 why create a group just put the rule in floating with the interfaces/vlans you want to apply set it to quick and on the inbound direction.
Personally I would just create the rules on each interface - makes it easier to troubleshoot if you know where the rule is that is doing something. How many interfaces do you have? its simple enough to just copy the rule from one interface to another, etc. So unless you have like a 100 interfaces or something?
-
@johnpoz I was looking at floating rules but all the options were intimidating. What makes individual rules per interface easier to troubleshoot? you can flip logging on easily per rule on each interface?
I originally did copy each set of rules to each interface with the conversion tool, but the rules just started looking crowded.
I'm really just trying to learn so wanted to try something different.
But are group interfaces processed before WAN? I'm pretty sure I locked myself out of the GUI because of a block RFC1918 in the group interface. I had been working on setting up the network behind another firewall so was accessing it from the WAN subnet that was behind the other firewall.
-
@CatSpecial202 said in Interface Groups and dns redirect:
What makes individual rules per interface easier to troubleshoot?
because your looking in 1 place for all the rules that could effect traffic coming into this interface, vs looking at groups, is this interface in that group? Is the group rule correct for the source IP into specific interface? etc..
But hey you do you.. Doing this since there were firewall, before actually - when they were just packet filters.. And seeing all the rules in one place in the specific order they are applied is easier ;)
