Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Simple Firewall rule confusion?

    Firewalling
    4
    8
    1210
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      FroToast last edited by

      Hi,

      So I'm new to PFSense and I'm wondering about the firewall rules. So I just have a few questions.

      In the Firewall rules tab: IE: Firewall>Rules>(name of Interface).
      You're allowed to create a Source for your rule. But since ur already on the tab that corresponds to the interface you're managing, why would you use the source for?

      For instance, If I put a * for source and WAN net for Destination to allow only internet access, it does not work. Why is that?

      Or inversely, If I put an (Interface name) for source and WAN net for the destination, it does not work either.

      (Refer to pictures attached below)



      1 Reply Last reply Reply Quote 0
      • F
        FroToast last edited by

        Also, if it helps, I'll give a little bit of context.

        I have a subnet setup for those renting the downstairs and sharing the same connection with us. I want to separate them from our local network. Therefore, want to allow only their subnet to access the internet.

        1 Reply Last reply Reply Quote 0
        • ptt
          ptt Rebel Alliance last edited by

          @FroToast:

          Hi,

          So I'm new to PFSense and I'm wondering about the firewall rules. So I just have a few questions.

          In the Firewall rules tab: IE: Firewall>Rules>(name of Interface).
          You're allowed to create a Source for your rule. But since ur already on the tab that corresponds to the interface you're managing, why would you use the source for?

          Because you maybe  need/want to "Block/Pass" only one Host/IP (or alias)  ;)

          @FroToast:

          For instance, If I put a * for source and WAN net for Destination to allow only internet access, it does not work. Why is that?

          Because "WAN Net" != "Internet"

          Please Check the Docs

          https://doc.pfsense.org/index.php/Firewall_Rule_Basics

          https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

          https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

          1 Reply Last reply Reply Quote 0
          • H
            Harvy66 last edited by

            WAN Net is the subnet for the WAN interface

            1 Reply Last reply Reply Quote 0
            • F
              FroToast last edited by

              Hi,

              Sorry for the late reply, I was away from home for a while.

              Thanks for your response!

              So I just have a few questions,

              The source in a firewall rule would only apply to that interface it is created for. IE: I create a Rule for the LAN1 tab, that would not affect LAN2.
              Because, I notice there is an option to set the source to another subnet, even though you're creating a rule for one specified interface. Which in turn only manages one subnet.

              Could you elaborate what you mean by WAN Net =! internet. Because I'm wondering if it is possible to just create a rule to allow a subnet only to the internet rather than blocking every other subnet?
              And by that picture, I've attached, it doesn't look like it.

              This isn't a huge deal, nontheless I feel like it makes sense to ask.

              Edit: Change post to be easier to understand.

              1 Reply Last reply Reply Quote 0
              • johnpoz
                johnpoz LAYER 8 Global Moderator last edited by

                "That's why I would like to ask you to elaborate on why Wan != Internet."

                So what does lan net = ??  192.168.1.0/24 or whatever you made your lan… What does does OPT1 net = 172.16.0.0/23 ??

                So why would you think wan "net" would be anything other than the network on your wan interface..  Mine is 24.13.x.x/21 – so that is the network for wan net, not the itnernet..

                As to why you can pick the source as gone over maybe you want a rule for 192.168.1.14 as the source on that rule, or maybe you have downstream networks and this interface is just a transit network to some downstream router, or maybe its your enterprise network that is everything under the sun for rfc1918 space?  So you could just put any, if its a transit the net prob a /30 or maybe a /29 so that "net" is pretty small.

                1 Reply Last reply Reply Quote 0
                • F
                  FroToast last edited by

                  Look, I didn't mean to sound presumptuous, I'm just wondering the difference between WAN and Internet that he was referring to.

                  I am not following you right now. I sense a bit of urgency in your words. I would appreciate it if you would explain in full and clear sentences.

                  I do not know what you're referring to when you colloquially type out your post as such.

                  @johnpoz:

                  So what does lan net = ??  192.168.1.0/24 or whatever you made your lan… What does does OPT1 net = 172.16.0.0/23 ??

                  @johnpoz:

                  As to why you can pick the source as gone over maybe you want a rule for 192.168.1.14 as the source on that rule, or maybe you have downstream networks and this interface is just a transit network to some downstream router, or maybe

                  @johnpoz:

                  its your enterprise network that is everything under the sun for rfc1918 space?  So you could just put any, if its a transit the net prob a /30 or maybe a /29 so that "net" is pretty small.

                  I am not an advanced user, thus, I could not pick up on what you are saying.

                  @johnpoz:

                  "So why would you think wan "net" would be anything other than the network on your wan interface.."

                  The WAN interface is bridged through my modem to the "internet" Therefore, I assumed that if I create a firewall rule with this source(LAN Net) and this destination (WAN Net), My users on that subnet would be able to connect to the internet. Please refer to the picture in my opening post.

                  1 Reply Last reply Reply Quote 0
                  • johnpoz
                    johnpoz LAYER 8 Global Moderator last edited by

                    "this destination (WAN Net)"

                    No that dest is exactly that lets say yours is 1.2.3.0/24 is your public IP.. Are they going to there??  No they are going to some other IP on the internet 8.8.8.8, 4.4.4.4, etc.. 5.6.7.8

                    They are not dest to your WAN NET..

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post

                    Products

                    • Platform Overview
                    • TNSR
                    • pfSense
                    • Appliances

                    Services

                    • Training
                    • Professional Services

                    Support

                    • Subscription Plans
                    • Contact Support
                    • Product Lifecycle
                    • Documentation

                    News

                    • Media Coverage
                    • Press
                    • Events

                    Resources

                    • Blog
                    • FAQ
                    • Find a Partner
                    • Resource Library
                    • Security Information

                    Company

                    • About Us
                    • Careers
                    • Partners
                    • Contact Us
                    • Legal
                    Our Mission

                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                    Subscribe to our Newsletter

                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                    © 2021 Rubicon Communications, LLC | Privacy Policy