No destination interface in firewall rules


  • Hi,

    There doesn't seem to be the ability to specify a destination interface in firewall rules? - why is this?

    I have a number of VLANs and other than in specific cases, I don't want them to be able to route to each other - generally just to the internet.

    So for this, I have to have an alias containing a list of local network ranges, and then have a firewall rule like:

    interface: LAN
    src: LAN NET
    dest: ! local_networks

    instead of:

    interface: LAN
    src: LAN NET
    dest interface: WAN

    Is that the only/best way to do it, or am I missing something?

    Thanks,

    Ian

  • Banned

    Huh?!

    :o ::)


  • That's destination address, not interface.

    In the case of my question, the destination address is everything, except a few subnets.

    The simplest way of doing that was to list those subnets in an alias.

    But destination interface (WAN) would be simpler.

    Thanks,

    Ian

  • Banned

    @ichilton:

    That's destination address, not interface.

    Ugh, maybe look at the dropdown as well?  What'd you figure the LAN net etc. is for there?


  • LAN net is the subnet on the LAN interface - not the interface itself.

    If I set the destination to WAN NET, then i'd only be able to access my own allocated subnet, not the rest of the internet.


  • For clarification, my question was whether there was a better way to do this rule, without having ! local_networks.

    local_networks is an alias containing 10.0.0.0/8, my allocated v4 subnet and my allocated v6 subnet.

    ![Screen Shot 2017-01-26 at 11.11.22.png](/public/imported_attachments/1/Screen Shot 2017-01-26 at 11.11.22.png)
    ![Screen Shot 2017-01-26 at 11.11.22.png_thumb](/public/imported_attachments/1/Screen Shot 2017-01-26 at 11.11.22.png_thumb)

  • Banned

    Yes, WAN net is not internet and layer 2 is not layer 3. The request here makes no sense. (And what you are asking has been discussed about 5496 times before.) Have a nice day.


  • so you would do it like I already have?

    In iptables, I would do it this would be like:

    iptables -A FORWARD -i eth0.4 -o pppoe0 -s 10.4.0.0/24 -j ACCEPT

  • LAYER 8 Global Moderator

    if your wanting your clients to go to the internet??  From the lan network, then you could use dest any?

    Or sure you could use ! not to say as long as your not going here, its ok.. Or you could use the dest any, and above that put in block rules to your other vlans.

    "I don't want them to be able to route to each other - generally just to the internet."

    How I accomplish this is with a simple alias that I put in the rfc1918 space..  I know for sure that all my vlans will be in this space ;)  So I use a ! rule to say not rfc1918 space have at it allowed.  So this lets them go to the internet, but not my other networks.  See example attached, I let that network ping pfsense, let it use it for dns.  I have rule that allows access to my ntp servers on a different vlan.  But then I block all other access to pfsense on any other IP, lan or wan, etc.

    Dest interface is sure doesn't tell me that is how you get to the internet.. This rule is clear and easy to understand.. As long as your not going to rfc1918 address its allowed, ie internet..


  • Banned

    @ichilton:

    In iptables, I would do it this would be like:
    iptables -A FORWARD -i eth0.4 -o pppoe0 -s 10.4.0.0/24 -j ACCEPT

    See above. And what you do in iptables is essentially broken, because you are hardcoding the interface name. Not usable. When you re-assign the interface, you get completely BS rules.


  • @johnpoz:

    How I accomplish this is with a simple alias that I put in the rfc1918 space..

    Right!! - so you are doing exactly the same thing as me! - except rather than mine just being RFC1918, it includes my ISP allocated subnets too - for both ipv4 and ipv6.

    The alternative would be block rules on each VLAN, to drop/block packets bound for other vlans, but while using an alias felt a little hacky, it was at least a single rule.

    Thanks!

    Ian

  • LAYER 8 Global Moderator

    How is using an alias "hacky"??  Every firewall I have ever used allows the use of "objects" if you will. Juniper, Checkpoint, Forigate, Cisco ASA, etc.. etc.. etc.. Even iptables can use ipsets to store the same thing.. groups of ips, networks, ports so how is it "hacky" ???

    Would it feel less hacky if pfsense called them "objects" ;) and you could put networks in there, or ports?  Or IPs ;)

    I have another alias I use for my ipv6 stuff, But I currently am not allowing ipv6 on my dmz segment, so there is pretty useless putting in rules for it ;)  That segment can not go anywhere via ipv6..


  • Maybe hacky was too strong a word!

    I guess the developer in me was thinking that an alias felt inefficient - a lookup and then multiple instances to parse - so being new to pfsense, I wanted to check I was doing it the best way. Pleased that looking at your screenshot that i'd come up with almost identical rules of you :)

    Thanks!

    Ian