Simple Firewall rule confusion?

FroToast

Hi,

So I'm new to PFSense and I'm wondering about the firewall rules. So I just have a few questions.

In the Firewall rules tab: IE: Firewall>Rules>(name of Interface).
You're allowed to create a Source for your rule. But since ur already on the tab that corresponds to the interface you're managing, why would you use the source for?

For instance, If I put a * for source and WAN net for Destination to allow only internet access, it does not work. Why is that?

Or inversely, If I put an (Interface name) for source and WAN net for the destination, it does not work either.

(Refer to pictures attached below)

FroToast

Also, if it helps, I'll give a little bit of context.

I have a subnet setup for those renting the downstairs and sharing the same connection with us. I want to separate them from our local network. Therefore, want to allow only their subnet to access the internet.

ptt

@FroToast:

Hi,

So I'm new to PFSense and I'm wondering about the firewall rules. So I just have a few questions.

In the Firewall rules tab: IE: Firewall>Rules>(name of Interface).
You're allowed to create a Source for your rule. But since ur already on the tab that corresponds to the interface you're managing, why would you use the source for?

Because you maybe  need/want to "Block/Pass" only one Host/IP (or alias)  ;)

@FroToast:

For instance, If I put a * for source and WAN net for Destination to allow only internet access, it does not work. Why is that?

Because "WAN Net" != "Internet"

Please Check the Docs

https://doc.pfsense.org/index.php/Firewall_Rule_Basics

https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

Harvy66

WAN Net is the subnet for the WAN interface

FroToast

Hi,

Sorry for the late reply, I was away from home for a while.

Thanks for your response!

So I just have a few questions,

The source in a firewall rule would only apply to that interface it is created for. IE: I create a Rule for the LAN1 tab, that would not affect LAN2.
Because, I notice there is an option to set the source to another subnet, even though you're creating a rule for one specified interface. Which in turn only manages one subnet.

Could you elaborate what you mean by WAN Net =! internet. Because I'm wondering if it is possible to just create a rule to allow a subnet only to the internet rather than blocking every other subnet?
And by that picture, I've attached, it doesn't look like it.

This isn't a huge deal, nontheless I feel like it makes sense to ask.

Edit: Change post to be easier to understand.

johnpoz

"That's why I would like to ask you to elaborate on why Wan != Internet."

So what does lan net = ??  192.168.1.0/24 or whatever you made your lan… What does does OPT1 net = 172.16.0.0/23 ??

So why would you think wan "net" would be anything other than the network on your wan interface..  Mine is 24.13.x.x/21 – so that is the network for wan net, not the itnernet..

As to why you can pick the source as gone over maybe you want a rule for 192.168.1.14 as the source on that rule, or maybe you have downstream networks and this interface is just a transit network to some downstream router, or maybe its your enterprise network that is everything under the sun for rfc1918 space?  So you could just put any, if its a transit the net prob a /30 or maybe a /29 so that "net" is pretty small.

FroToast

Look, I didn't mean to sound presumptuous, I'm just wondering the difference between WAN and Internet that he was referring to.

I am not following you right now. I sense a bit of urgency in your words. I would appreciate it if you would explain in full and clear sentences.

I do not know what you're referring to when you colloquially type out your post as such.

@johnpoz:

So what does lan net = ??  192.168.1.0/24 or whatever you made your lan… What does does OPT1 net = 172.16.0.0/23 ??

@johnpoz:

As to why you can pick the source as gone over maybe you want a rule for 192.168.1.14 as the source on that rule, or maybe you have downstream networks and this interface is just a transit network to some downstream router, or maybe

@johnpoz:

its your enterprise network that is everything under the sun for rfc1918 space?  So you could just put any, if its a transit the net prob a /30 or maybe a /29 so that "net" is pretty small.

I am not an advanced user, thus, I could not pick up on what you are saying.

@johnpoz:

"So why would you think wan "net" would be anything other than the network on your wan interface.."

The WAN interface is bridged through my modem to the "internet" Therefore, I assumed that if I create a firewall rule with this source(LAN Net) and this destination (WAN Net), My users on that subnet would be able to connect to the internet. Please refer to the picture in my opening post.

johnpoz

"this destination (WAN Net)"

No that dest is exactly that lets say yours is 1.2.3.0/24 is your public IP.. Are they going to there??  No they are going to some other IP on the internet 8.8.8.8, 4.4.4.4, etc.. 5.6.7.8

They are not dest to your WAN NET..