Firewall destination issues
-
Hi,
Just finalising a setup of a pfSense box to migrate to it from an existing firewall setup and I'm having an issue with firewall rules.
I have a few NICs in the box for multiple internal network 'zones' and of course one for the WAN. I want to specify a destination so for example users in the guest zone can access HTTP, HTTPS, DNS, etc. to the WAN interface, but not to the LAN interface. So far the only way I've been able to get it to work is by not specifying a destination.
In the attachment you'll see a basic setup (I will be putting in a lot more rules but I need to get it working first) of my LAN interface, which from my understanding of pfSense coming from my existing firewall should allow ALL traffic from LAN > DMZ and DNS, HTTP(S) out via the WAN interface for the LAN interface. The problem is all traffic is being blocked unless I change destination from "WAN Net" to * (On this subject also, what is the difference between XXX net and XXX address?) which I don't want as my understanding is it would then allow DNS & HTTP(S) to ALL my zones I have setup?
-
Hi justin.j,
Have a look at this thread here: https://forum.pfsense.org/index.php?topic=80027.0
and see if that answers your questions :)Regarding "LAN address" vs "LAN Net", the first represents the IP address that pfSense has in that subnet. The last is the entire subnet (all clients on the subnet of the interface, including pfsense itself). For instance, if the LAN interface has an IP address of 192.168.1.1/24, then 192.168.1.1 is the "LAN address". The "LAN Net" is then 192.168.1.0/24, which covers from 192.168.1.1 to 192.168.1.255.
Edit: added some more information.
-
Thanks for the reply. That does answer my question and thanks for clarifying the difference between the address and net.
It's a shame to have to specify it that way, it does seem to make things a little more complicated than previous firewalls I've used. Never the less, pfSense does bring a lot of features that the previous haven't so it's a small price to pay.It would be nice to have a destination interface option for destination, so that you could pick IF:WAN and have the rule match for any network attached to that particular interface.