Meaning of "Default" Gateway
-
Hello pfSense Forum,
I've never posted anything, anywhere, in my entire life. I've spent countless hours reading hundreds of posts on this forum and I've managed to setup an, I believe, elaborate network using pfSense, with the knowledge I was able to glean from many websites, but largely this one - so thanks.
I just have one question which search engines & forums don't seem to have the answer to. This is probably due to the fact that the answer is obvious to anyone who knows what they're talking about… And while I understand many things about networking, I'm just a motivated and intelligent (I think) layman who tries to figure things out by reading and trying (and failing) and trying again... So far, so good.
Now the question I have is this: In the firewall rules, how should one interpret the default setting for the gateway? Does the little star mean "any" gateway or does it explicitly mean whichever gateway is currently selected as the default (in the event of multiple gateways)?
So if someone has 2 gateways, say WAN and OpenVPN for example, and he wanted to block all traffic on an interface, let's say the LAN, after having selectively allowed some traffic; is a Block All rule on the LAN required for the "default" gateway (little star), then another for WAN and another for OpenVPN? Or does 1 Block all rule with "default" set as the gateway account for "any" gateway on the firewall, for the given interface (LAN, in this case)?
Not sure I'm being clear... Essentially, in the attached image, I'm assuming the four bottom rules are redundant and the topmost rule covers the scenarios of all the rules below. Am I correct?
Thanks to anyone who takes the time to provide an answer.
Cheers
-
Does the little star mean "any" gateway or does it explicitly mean whichever gateway is currently selected as the default (in the event of multiple gateways)?
It means any, not matter if the traffic has to pass any gateway or not.
(Consider at this point, that traffic to another subnet assigned to the firewall or to the firewall itself does not pass any gateway.)So if someone has 2 gateways, say WAN and OpenVPN for example, and he wanted to block all traffic on an interface, let's say the LAN, after having selectively allowed some traffic; is a Block All rule on the LAN required for the "default" gateway (little star), then another for WAN and another for OpenVPN? Or does 1 Block all rule with "default" set as the gateway account for "any" gateway on the firewall, for the given interface (LAN, in this case)?
If the pass rule which is sited above this block rule matches the block rule will be ignored, if it doesn't match the traffic will be blocked by the default block rule (invisible block rule on each interface which blocks any traffic; it is sited at the bottom of the rule set), except other allow-rules which may match are following.
Not sure I'm being clear… Essentially, in the attached image, I'm assuming the four bottom rules are redundant and the topmost rule covers the scenarios of all the rules below. Am I correct?
However, yes, the first rule will match to any IPv4 traffic and block it and the others will be ignored, so they are needless here.
-
Thank you very much for a very clear answer.
Cheers