The 1.000.000 issue for firewall rule from LAN to WAN
-
Hello,
Freshly migrated from Ipfire to pfSense, but still have an issue:
Simple use case :
I want to block traffic from LAN to WAN for a ip (192.168.2.21) to an ip google.fr (172.217.23.163)
For all protocols (in this case i use ICMP (ping) for testing rules)- First try (with WAN net as target ,supposed to be WAN network)
Fails (Nothing in the fw logs)-
Second try (with WAN adress as target ,supposed to be WAN adress group):
Fails (Nothing in the fw logs) -
Third try (with this firewall):
Fails (Nothing in the fw logs) -
Fourth try (with ip of google 172.217.23.163)
Great, works, we're approaching ! -
Fifth try (with negation of 192.168.2.0, after my own exorcism)
Great, works too. -
Sixth and last (with all)
Great, works too.
So my question is, why cases 1 and 2 are not working ?
There's probably a good reason, but i want to know why, (i have working solutions, but for me cases 1 and 2 are more naturals, this is what i implement in my old ipfire).Thank you !
Fred
-
Hello!
https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-basics.html
"WAN net - Please note this is not the internet, this is just the network wan is connected to, just like lan, or opt net aliases above. If your ISP puts you on a x.x.x/21 network, or a /29 or a /24 that is the network this refers too.. Not the whole internet."
https://forum.netgate.com/topic/153856/internet-alias
John
-
Thank you John for your response.
WAN is just the WAN interface part (I understand).What are the best practices for my use case ?
-
Use 'any' as a destination.
This won't stop 192.168.2.21 from pinging all device on it's own LAN - something you can never stop, but not pfSense or elsewhere, higher up.