Question about Diagnostics/Ping and Firewall Rules
I have different networks that are all isolated with firewall rules. If put a PC on any of these networks I am unable to reach any clients on the other networks which is desired.
However, if i go to Diagnostics/Ping and put the hostname of a computer on one network (192.168.50.5 example) and the source address as a different network interface (OPT2_192.168.7.0/24 example), the ping reports 0 packets lost. I'm confused because i don't understand why my rules appear to be working when tested from computers on a network, and the rules don't appear to be working when I test connectivity from Diagnostics/Ping.
Can anyone explain what I'm missing here?
Any connection initiated from the firewall host is going to matched only against the outgoing filter rules, not incoming rules. By default pfSense allows all outgoing traffic on each of the interfaces but if you want to control the outgoing traffic you can use the floating rules which have an option to match outgoing traffic instead of just incoming.
To make sure I understand, in the firewall rules for the interface OPT2, I have the following rule:
Source OPT2 net
Destination LAN net (192.168.50.0/24)
Is that basically an incoming rule even though its a rule blocking outgoing traffic from OPT2 net?
When I say "incoming" I mean traffic entering an interface (any interface) from the connected network and with "outgoing" I mean traffic leaving via an interface to the connected network. PfSense terminology is like this and it confuses people because they think from the point of view of a client system only. Instead you should look from the point of view of the pfSense system and see how each connection either enters or leaves the system trough the network interfaces.
All standard rules in pfSense are incoming rules, they will never match outgoing traffic. As I already said to filter outgoing traffic you will need floating rules.
^ well put.. Think of your interfaces as doors entering your pfsense house. With your rules as door man standing in front of the door. He checks his list (rules) he scans down the list top down, first rule to match wins and he doesn't look at any more rules on his list. If the packet matches and allows he allows you into the pfsense house. If you hit a block rule your not let in. Doesn't matter what a rule says below the one that matches the traffic as it enters pfsense.
You can do outgoing rules from pfsense.. But those would be done in the floating tab.. And in honesty you almost would never need such rule.. Its always better to evaluate the traffic before it enters pfsense vs doing the work of letting it in, just to block it when it tries to leave.
If you don't want devices on your lan network to talk to your opt network, then put the rules on your lan interface. If you don't want devices on your opt network talking to lan, put rules on your opt interface. Evaluate the traffic before it enters pfsense!
Thanks kpa and johnpoz! That makes it super clear and helpful while I'm building and testing rules. Thanks again for your help.