Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Destination/source firewall rules for LAN interfaces

    Firewalling
    2
    3
    3.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      spaceman77
      last edited by

      I have set up a new router (appliance) with PFSense 1.23.

      I have broadband cable (coaxial) coming from the ISP to a cable modem.

      I receive an IP address from the ISP dynamically

      interface 0 WAN          DHCP to/from ISP

      interface 1 LAN          192.168.1.1

      interface 2 LANdownstairs 192.168.2.1

      interface 3 LANtomato    192.168.3.1 (wireless)

      I have enabled DHCP server on all 3 interfaces.

      I have enabled the default firewall configuration for the 3 LAN interfaces AND then configured the protocol to "ANY". The source/destination boxes are not checked and say "ANY".

      Everything works perfectly (so far) but something is bugging me.

      Do I need to configure the interface firewall rules to ensure that traffic from the outside world (WAN) goes to each specific interface? i don't think so but I seem to remember that you need to apply some destination or source rule to the LAN interfaces when you have more than one.

      Or maybe not, maybe things are fine.

      My skill level at this sort of thing is medium.

      1 Reply Last reply Reply Quote 0
      • D
        danswartz
        last edited by

        Not sure what you are asking.  If you mean unsolicited inbound traffic, that will never occur unless you have port forwards or somesuch.  If you mean return traffic for outbound connections you make, that happens automatically.  When you (say) connect to a website from, say, LAN #2, a state table entry will be set up showing the internal IP/port, so pfsense will know where to route the return traffic automatically.

        1 Reply Last reply Reply Quote 0
        • S
          spaceman77
          last edited by

          Thanks for the reply.

          I had a hard time defining my question but you answered it.

          I came up with the question because I had read somewhere that when you add one extra LAN (OPT1) you need to check destination "not LAN subnet" for incoming traffic. The person who wrote that article may have been mistaken. I think they were under the impression that packets might accidentally flow into the other subnets.

          I suspected that PfSense routed traffic appropriately to the right internal IP/port but wanted to be prepared for a routing problem in case the network went down.

          Now i can sleep properly.  :P

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.