Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall Rules and the Gateway

    Firewalling
    2
    2
    45
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      katakuri
      last edited by

      My port2lan subnet is 172.16.26.0/24. I have a router plugged into it that needs internet access for internal stuff. pfsense also has a few other VLANs - all within RFC1918. I created a rule in port2lan that would give the router full access to all BUT RFC1918 - thinking I was specifically allowing it access to the internet. It didn't - not fully. Turns out the DNS server for the port2lan subnet was 172.16.26.1 - an address within RFC1918. I had to add a rule to allow the DNS query. I saw the deny in the system log as default deny rule.

      My question is how do I handle the gateway for my lans as destinations in firewall rules? Clearly traffic sent to the gateway directly such as DNS needs a rule allowing the subnet to access the dns server on the gateway (or something else like a management interface). But when traffic has to go through the gateway, such as traffic going to the internet, the destination for the traffic will be the actual target, not the gateway itself, right? Traffic destined for outside the subnet is sent to the gateway but for the firewall the actual target is the remote address?

      E.G.
      172.16.26.5 sends UDP 53 to 172.16.26.1
      This requires a rule specifically allowing the subnet to query the gateway as DNS.

      172.16.26.5 sends TCP request to apple.com:80 through 172.16.26.1
      This rule will match 172.16.26.5 as the source and apple.com as the destination?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @katakuri
        last edited by

        @katakuri said in Firewall Rules and the Gateway:

        But when traffic has to go through the gateway, such as traffic going to the internet, the destination for the traffic will be the actual target, not the gateway itself, right? Traffic destined for outside the subnet is sent to the gateway but for the firewall the actual target is the remote address?

        Yes.

        Firewall rules in pfSense work at layer 3. Each IP packet includes the source and the destination address in its header. These are evaluated by pfSense for filtering the traffic.

        The gateway, however, is a case of layer 2. A packet can be sent to the gateway (per hardware address) even the destination address is something different.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.