Having trouble with LAN block/reject rules - End game is to be able to block internet traffic for these devices by toggling on rule.

ptt

Check/Read:

https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-basics.html

https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-processing-order.html

https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-troubleshooting.html

TupleButter

@ptt
Thanks after reading through these again setting these rules as floating rules has appeared to resolve the issue for me.

johnpoz

@TupleButter said in Having trouble with LAN block/reject rules - End game is to be able to block internet traffic for these devices by toggling on rule.:

When I toggle/enable one of these rules internet traffic continues for the device even after I reset the states table as well.

And where did you put them - rules are evaluated top down.. first rule to trigger wins.. If you put them below the default any any they would never trigger.

If you want help with rules - Post a picture..

TupleButter

@johnpoz
Sorry Johnpoz I pulled the screenshots after reading back through the provided links as previously suggested.... And you are correct they were below the default LAN any any... recreating them as floating is working.

johnpoz

While placing rules on floating is a method of getting them to be evaluated before the rules on an interface.. Its almost always better to put them actually on the interface so its easier to see exactly what is going on. While looking that the interface..

Other wise you might be like - why is this not working, when you have a rule on floating blocking it or allowing it, etc.

TupleButter

@johnpoz
Thanks I appreciate the heads up as I create more rules in the future I will keep this in mind. For now I will use the separators to organize.

johnpoz

Not sure what that has to do when rules are not on the interface you would be looking at ;)

It is very simple to put rules in order - there is really no reason to put them on floating.. But whatever works for you - but if you ever come asking for help and someone ask you to post your rules to help you... You need to be CLEAR that you also have floating rules and post those..

Derelict

cat /tmp/rules.debug

johnpoz

Yeah that is easy to look at ;)

TupleButter

@johnpoz I know you are extremely knowledgeable about these devices and very active/helpful on this forum so I wanted to stress that I did not mean for my response to come across rude. I read through the Netgate kb's @ptt provided for me above and determine my mistake. I then deleted the screenshots I had included earlier after I determined the issue. In the future as I have an issue I will be sure to continue to include my screenshots of the issue. Thanks again for your diligence on this !
You are also correct in the fact that I will not keep these as "floating" rules rather on the appropriate interfaces. I have never gone hands on with pfsense prior to ordering these devices but eventually with more reading/doing I will better know my way around the appliance. Thanks again for your patience with me on this !

johnpoz

Don't be worried about being "rude" -- not to me at least... You can call me an idiot if you want, etc. Unlike many people on the internet who identify as 13 year old girls on their first period ;) My skin is a bit thicker than that..

I would be more than happy to exchange F bombs if you so wished, etc.. I spent 16 years in the Navy (6 active, 10 reserve)... I don't think it would be possible for me to take something as "rude" now you might piss me off... But take offense - prob not, think your a "____" sure ok... But still be happy to help you understand/fix a technical issue..

So please also understand if I might sound blunt, or even rude - I am not meaning to be.. I am blunt/direct sort, I don't really like to play nicey nicey worried about if calling you an idiot will hurt your feelings ;) What I am trying to get you to do is understand what your doing is not correct - if you know what I mean.

Now I do try and play nice, mostly because of the whole mod thing - might not look right going around calling users dip shits, etc. But if I did - it wouldn't be personal, the world is full of dip shits ;)

But thanks - and rest assured I was in no way offended or think what you stated was rude.. Play around with doing rules.. And you find unless you have a really good reason, its just simpler to keep them on the interface where they are being applied so you can see them when your creating other new rules for that interface, etc.