Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple LAN Firewalling

    Scheduled Pinned Locked Moved Firewalling
    16 Posts 4 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      geudrik
      last edited by

      @ptt:

      By default LAN allows that, with the (default) "Allow LAN to ANY " Rule… IN "OPT" Type interfaces you must create that rule, since all outbound traffic is Blocked by default.

      Yea, that's making sense now. Overthinking fail. Now I'm puzzled as to why this rule is not working… From a box on my LAN, I can successfully ping a host on my SIP network, which from the screenshot, I believe I should not be able to do. What am I missing her...

      ![Screenshot from 2014-07-06 11:38:31.png](/public/imported_attachments/1/Screenshot from 2014-07-06 11:38:31.png)
      ![Screenshot from 2014-07-06 11:38:31.png_thumb](/public/imported_attachments/1/Screenshot from 2014-07-06 11:38:31.png_thumb)

      1 Reply Last reply Reply Quote 0
      • pttP
        ptt Rebel Alliance
        last edited by

        If you want to Block traffic from the "LAN Net" to the "SIP Net"  you must create the "Block Rule" in the LAN interface Tab ;)

        The "Block all from LAN" Rule is useless in "SIP" it Must be in "LAN"

        "Normal" (not Floating) FW Rules are applied "on ingress" and are "evaluated/processed" from Top to Bottom, and "First Match wins"

        1 Reply Last reply Reply Quote 0
        • G
          geudrik
          last edited by

          @ptt:

          If you want to Block traffic from the "LAN Net" to the "SIP Net"  you must create the "Block Rule" in the LAN interface Tab ;)

          The "Block all from LAN" Rule is useless in "SIP" it Must be in "LAN"

          FW Rules are applied "on ingress"

          Wat. I understand the first part, but wouldn't that be egress? If I have to block LAN->SIP traffic on my LAN interface, that's traffic that's leaving the LAN interface. Which seems very, very backwards.

          Just to clarify, this means that I cannot block on incoming traffic, only outgoing, correct?

          1 Reply Last reply Reply Quote 0
          • pttP
            ptt Rebel Alliance
            last edited by

            You "Block or Pass" traffic that "ingress" to the interface with a "certain" destination

            1 Reply Last reply Reply Quote 0
            • G
              geudrik
              last edited by

              @ptt:

              You "Block or Pass" traffic that "ingress" to the interface with a "certain" destination

              Yes, I understand that. What I'm asking though is that if I want to drop traffic coming from my LAN network and going into my SIP network, why then am I blocking that traffic on my LAN interface? That would be egress filtring, not ingress. Ingress filtering would be applied by SIP network/interface (in this example).  :o

              I don't mean to come across as argumentative, but this is not making any sense to me what so ever (I'm a linux guy, not BSD, for what it's worth) :S  When I spin up firewall rules, they're blocked on the incoming interface, not outgoing.

              1 Reply Last reply Reply Quote 0
              • pttP
                ptt Rebel Alliance
                last edited by

                To block traffic from a LAN host to a SIP host, you create the Rule on LAN, and that rule "Block" traffic that "ingress" from the LAN host to the LAN interface, and have the SIP host/network as destination

                1 Reply Last reply Reply Quote 0
                • O
                  openletter
                  last edited by

                  If I have to block LAN->SIP traffic on my LAN interface, that's traffic that's leaving the LAN interface

                  Actually, that's traffic entering the LAN interface. ;)

                  pfSense 2.4.3-RELEASE (amd64) installed to PC on Samsung 860 EVO mSATA 256 GB SSD with Supermicro X11SBA-LN4F, Intel Pentium N3700, 4 GB RAM, 4 mobo 10/100/1000, 1 PCIe 10/100/1000 x4 NIC (HP NC364T), and APC Smart-UPS SMT1500.

                  1 Reply Last reply Reply Quote 0
                  • pttP
                    ptt Rebel Alliance
                    last edited by

                    Some "Reading" about FW rules ;)

                    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

                    https://doc.pfsense.org/index.php/What_are_Floating_Rules

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Why does this concept confuse so many users??  Place yourself in the firewall..  Look at your interfaces connected to you – if someone on lan wants to go to sip.  What is the first interface they hit?  Where do you want to stop the traffic?  That is the interface you place the rule

                      Before you process the packet and then say oh wait that shouldn't go out the sip interface..  Or before it enters the firewall?

                      Think of it this way - the interface connected to the source of the traffic is where you place the rule.  If you don't want lan going somewhere you put it on the lan interface, if you don't want boxes on the sip going somewhere then you place the rules on the sip interface.  If you want or don't want stuff from the internet to talk to your pfsense wan or stuff behind pfsense where would you put the rule?

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • G
                        geudrik
                        last edited by

                        Yea, it makes sense now, though it's somewhat of a pain IMO. I wound up having a chat with some friends earlier about this .. not sure why this was such a hassle for me to make sense of initially.

                        It would be nice to see a way to add rules across multiple interfaces. The perk to doing it the other way is minimizing the rules you have to write. For example, if you've got five or six vlans that all need to be segregated, it's a hassle to have to (for each one), firewall off the others.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          "It would be nice to see a way to add rules across multiple interfaces."

                          Its called the floating tab.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • G
                            geudrik
                            last edited by

                            So, for what it's worth, the issue that I wound up having was entirely mental. Firewalling isn't an inherently difficult concept, but the way that pfSense presents it is what threw me for a loop.

                            Firewall Rules (not WAN or Floating)
                            If you're a Linux person like me, you've likely used to iptables.

                            Generally, you use the input chain for rudimentary firewalling because your boxes reside near an edge or are directly connected (at least, that's my use case). That being the case, it only makes sense to use input more heavily than output. So from that perspective, trying to firewall in pfsense makes next to zero sense/is confusing (I'm not talking about the floating tab or NAT rules).

                            Given that the majority of my firewalling has been via iptables, the better way for me think about firewalling on pfsense is to think about it like I'm using the output chain. Your source will likely always be that an address on that network, with a destination being what ever.

                            NAT Rules
                            They work the same way as your input chain does

                            Floating Rules
                            Haven't had enough time to really play with them yet

                            Hopefully this offers some clarity to someone.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.