Firewall Rule Block Internet Access

  • I understand that rules are defined on the interfaces, so a rule affects a firewall interface.

    If i have 3 Interfaces:

    WAN (Internet router here)

    On Wifi I have 2 Clients: Phone, Laptop

    If I want to block Phone or Laptop from accessing the internet i now would have a Rule on

    Wifi: Block IP Phone access any.

    This would block Phone from Accessing WAN and Wifi2.

    Or is it more logical to have the Rule on the Wan interface:

    Wan: Block IP Phone access any.

    This would block Pohne only to acces Wan.

    Or is it better to have the rule on Wifi:

    Block Phone Access to WAN Net. ? This does not seem to work here, I dont get what false thinking I have here.

    If on WAN I want to have: All traffic that comes from the Internet Router- do I say: Source Wan Net or Source Inet-Router IP or Source All?

    Is Nat considered to be part of the  Wan - Net?


  • LAYER 8 Global Moderator

    Rules are evaluated as the traffic enters an interface towards pfsense.  Rules are evaluated top down, first rule to trigger wins - no other rules are evaluated.

    Wan net is not the internet, its just WAN net whatever that network is.

    If you don't want wifi net to access wifi2 net, then on wifi net first rule put source wifinet, dest wifi2 net any any block!  Put that as your first rule.
    2nd rule just use the default any any for source wifi net.

    This is most basic you could do to accomplish what you asked.  You can get fancier and more restrictive with it if you desire.

    Repeat and reverse if you want the same thing for wifi2 not accessing wifi net, etc.  Do you want some example rules in picture format?

  • hy,
    thanks, yes pictures would be fine, i am sure i would see some things i didnt think of yet.

    if the internet router is one ip on wan net - how do i block access to the internet from i.e. wifi1- do i forbid any traffic to wan, any trafic to wan-net or any traffic to the ip of the inet router?

  • LAYER 8 Global Moderator

    Blocking traffic to the "internet" would be a block ANY.. Since the internet really could be any IP other than rfc1918 or bogon.. So to allow internet you need to allow dest IP any..  Or use a ! (not) something specific..

    Why would you want to block your phone and ipad from using the internet?  Seems to really limit their function ;)  But you want to allow them access to the other wifi network?  Do you want them to be able to access pfsense for some reason?

    What is it you want to allow and what is you want to block and will post up picture of the rules doing that.

  • I.e. amazon dash button that should not reach out to the internet but for which the traffic should be monitorable on every subnet.
    Now I have Block all from Dash button on interface Wifi.
    Why would block all from Dash IP to everywehere on Interface Wan work - Traffic from Wifi would go over Wan for the internet?

  • LAYER 8 Global Moderator

    "I.e. amazon dash button that should not reach out to the internet"

    that makes it pretty useless ;)

    Again lets go over this 1 more time - WAN is not the internet.. Wan is just some network…  So mine is 24.13.x.x/21 that is my wan network.. If I block access to the wan network - why would that stop me from going to say google dns at

    You wouldn't block it on the wan interface because the traffic from the dash doesn't enter the wan interface from the wan towards pfsense.

    Firewall rules are evaluated top down, as the traffic enters pfsense - first rule to trigger wins, no other rules are evaluated.

    So again lets ask - do you want these dash buttons that are on wifi to talk to stuff on wifi2?

  • hy,
    yes, the buttons should talk to wifi2. and no :) they are useful:

    so - and i think thats what i missed - you HAVE to define a rule on the interface the traffic enters. you CANT define a rule on an interface for traffic that passes a interface? (why?)

    because in my imagination it seemed logic to have no rule on wifi1 and wifi2 and one on wan, so traffic that goes from wifi1 to wifi2 and vice versa wouldnt be affected and as on wan i only have the internet router any dash traffic would be blocked from going out.

  • LAYER 8 Global Moderator

    While you can do that sort of thing on the floating tab..

    This is not good to do for many reasons - one is why have your firewall/router process traffic that you are just going to stop on its way out.. Why even let it in!

    Think of pfsense as a house, with the different interfaces as doors into/out of the house..  Say your wan is your front door and your lan is your backdoor.  So you have say the kids playing in the back yard.  And your standing between the backyard and the house (pfsense)

    Now your kid says I want to go over to billys house.  Do you let him into the house have him walk through the house just to have stop him from living the front door.  Or you do tell hey you can not go to billy's house before he even enters the back door. ;)

    Why should pfsense do anything with the traffic when he is just going to drop it as it tries to leave, drop it before pfsense does anything with the packet.  Drop it before it ever enters pfsense.

    While you can do outbound rules on interfaces with the floating tab - its better to stop the packets before they even enter pfsense!  This is why rules should be done on the interfaces that are inbound into pfsense from that network.

    Would you allow traffic from the internet into the wan, just to stop it from entering the lan as it tries to leave the lan interface and enter the lan.  Or would you just stop it as it hits your wan.

    A simple rule you could put on both your lan side interfaces.  Is create an alias that contains your networks or all the rfc1918 space.  Now on your wifi and wifi2 just create a rule that says allow any any with dest ! (not) your alias.  So now as long as your devices on either wifi or wifi2 are going to something local they would be allowed.  If trying to go anywhere else, like googledns that rule would not trigger and they would hit the default deny that is on every interface and be dropped and not be able to go anywhere other than your local networks.  While you could for sure do this on the floating tab, and pick both your wifi and wifi2 interfaces as inbound.

    Its cleaner and easier to read to put the rules on the interfaces directly - so when you get fancier and starting wanting limit say traffic between your interfaces its easier to keep track of which rules apply where.

  • thanks a lot, this makes it very clear !

  • LAYER 8 Global Moderator

    No problem do you still want a picture?

    Here I fired up a test interface.

    So see my alias that contains all the rfc1918 space..  So this rule would allow anything on this network to go anywhere as long as its rfc1918 space.. So all my other networks lan, wlan, dmz, wlan_roku, etc..  But would not trigger if destination is anything other than rfc1918 space..

    So if going to say - it would not trigger this allow rule, and would be denied by the default block rule that is not shown.. All interfaces have a default DENY Rule if traffic is not allowed its blocked.  This is how pfsense works.

    So put this rule on you on wifi and wifi2 just changing the source to the appropriate network and then they can talk to each other but not the internet.  If your just going to have a any any rule between wifi and wifi2 - why not just have 1 network?

  • Hey.. thx for the picture. Great hint with the defined alias for the rfc1918 area.

    Let me get a bit offtopic:
    I have some virtual machines on my ESXI. One of them is for indexing my documents and to provide a search engine,
    I were finally able to get searchdaimon running. Searchdaimon is unfortunately quite outdated and it seems,
    that the devs are not working on this project anymore. The forum has been taken by bots.
    I dont know any powerful opensource/lightweight alternative for this purpose.
    Even i update centos to 6.9 in the VM and tried to get a clean system, so it will a good thing, to block any traffic to the 'WAN' (any) in this described way..

Log in to reply