Interface 1 allow any/any rule allowing traffic to Int2 deny any/any.



  • Ver 2.3.1-p5

    Network 1 (Internet) has a rule allowing any/any.
    Network 2 (Admin) has a rule denying any/any only allowing local admin traffic.

    Network 1 PC is able to access a network 2 server with the network 1 allow rule.  Logging shows that the network 1 rule allow any/any is permitting traffic to network 2 overriding the deny any/any rule on network 2.

    Is this a bug or do I need to setup a deny rule on every interface blocking access to network 2?

    Thanks,
    Daniel.



  • For testing:

    Network 1:

    • Block any/to network 2
    • allow any/any

    This configuration prevented access.

    Further testing:
    Network 1:

    • Block any/to network 2
    • Block Network 2/any

    Network 2:

    • Allow Network 2/ to Network 1.

    It looks like the local rules to the source network is overriding the rules to the second network.  This looks like it could get complicated for larger networks (which I am setting up converting from Ci$co routers).



  • Interface rules are only processed on the ingress interface. Just like a Cisco ASA.
    https://doc.pfsense.org/index.php/Firewall_Rule_Basics



  • I understand that it is applied to inbound traffic of the Interface with Cisco, although each interface in a Cisco router is treated separately.

    I might be missing something, but what is the best way to configure multiple client networks with unrestricted access to the Internet while restricting access to each other?


  • Rebel Alliance Global Moderator

    huh?  What do you mean complicated.  Rules are evaluated on the interface the traffic enters on top down, first rule wins no other rules are evaluated after a rule triggers.

    So not sure what you think overrode anything.

    If you don't want traffic from interface 1, or network 1 to go to network 2, then put in a block.  If you don't want network 2 to create traffic to network 1 then you would put a rule on network 2 interface stating that.

    If you want to get fancy/complicated then could use the floating rules which are evaluated first and can be in or out, and can be set for multiple interfaces at the same time.

    All the interfaces are treated separately in pfsense as well.  You need to put your rules on the interface the traffic will enter pfsense on.


  • Netgate



  • Thanks for the assistance.  I'll have to see how I broke it earlier to understand how later, but its working now with the following.

    Network 1 (Internet)
    Permit Any/Any

    Network 2 (Admin/secured)
    Permit Admin/Admin

    Floating Rule
    Block - Interface Network 2 - Direction Out - Proto Any - Source Any - Dest Network 2