Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Interface and Rules

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 6 Posters 765 Views 6 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V Offline
      viragomann @greatbush
      last edited by

      @greatbush said in Interface and Rules:

      My question is what happens if i change the interface from server to storage.

      Most probably nothing.
      The rule might not match any traffic on the storage interface, since it only filters for sources = SERVERS net.

      G 1 Reply Last reply Reply Quote 0
      • G Offline
        greatbush @viragomann
        last edited by

        @viragomann So if the rule matched a traffic on the storage interface, will it let traffic through?

        T tinfoilmattT 2 Replies Last reply Reply Quote 0
        • T Offline
          The Party of Hell No @greatbush
          last edited by

          @greatbush Yes, exactly.

          1 Reply Last reply Reply Quote 0
          • tinfoilmattT Offline
            tinfoilmatt @greatbush
            last edited by

            @greatbush said in Interface and Rules:

            So if the rule matched a traffic on the storage interface, will it let traffic through?

            Your screenshot shows a rule defined on the interface "SERVERS". Traffic on the "STORAGE" interface will never match any rules defined on the "SERVERS" interface.

            1 Reply Last reply Reply Quote 0
            • stephenw10S Offline
              stephenw10 Netgate Administrator
              last edited by

              If you edit the rule and change the interface that moves the rule to the new interface.

              Thus the rule will no longer be present on SERVERS so traffic from there to CLIENTS will no longer be passed.

              As mentioned that rule on STORAGE will not pass anything because traffic can never be from SERVERS net there.

              G 1 Reply Last reply Reply Quote 0
              • G Offline
                greatbush @stephenw10
                last edited by

                @stephenw10 Thank you
                I am still trying to wrap my ahead around something. Same three networks(storage, client, server).

                I want devices on the storage network to reach and get responses from devices on the server network. Do i create 2 rules or 1.

                storage interface rule: source = [single host or alias of devices on the storage network]
                destination = server network

                server interface rule: source = [single host or alias of devices on storage network]
                destination = [server network, devices on server]

                I feel like i am overthinking this problem.

                T S 2 Replies Last reply Reply Quote 0
                • T Offline
                  The Party of Hell No @greatbush
                  last edited by The Party of Hell No

                  @greatbush I believe you take your rule above and duplicate it on each of the interfaces to direct it to the other (2) interfaces.

                  You would have to create two rules on each interface if you want that interface to talk to the other two interfaces.

                  G 1 Reply Last reply Reply Quote 0
                  • G Offline
                    greatbush @The Party of Hell No
                    last edited by

                    @The-Party-of-Hell-No Sorry for being optuse but is this what you mean;
                    53684c10-841a-4ea3-8903-acd1d53573fd-image.png

                    1 Reply Last reply Reply Quote 0
                    • S Offline
                      SteveITS Rebel Alliance @greatbush
                      last edited by

                      @greatbush said in Interface and Rules:

                      I want devices on the storage network to reach and get responses from devices on the server network. Do i create 2 rules or 1.

                      Rules apply as packets enter the firewall. Responses are always allowed. So, one rule for one direction.

                      https://docs.netgate.com/pfsense/en/latest/firewall/fundamentals.html#stateful-filtering

                      Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                      When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
                      Upvote 👍 helpful posts!

                      G 1 Reply Last reply Reply Quote 1
                      • G Offline
                        greatbush @SteveITS
                        last edited by

                        @SteveITS said in Interface and Rules:

                        https://docs.netgate.com/pfsense/en/latest/firewall/fundamentals.html#stateful-filtering

                        "Using this mechanism, traffic need only be permitted on the interface where it enters the firewall. When a connection matches a pass rule the firewall creates an entry in the state table. Reply traffic to connections is automatically allowed back through the firewall by matching it against the state table rather than having to check it against rules in both directions. This includes any related traffic using a different protocol, such as ICMP control messages that may be provided in response to a TCP, UDP, or other connection."

                        You are right. Thanks a lot!

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.