Invert match doesn't work



  • Hi there here the "Invert match." doesn't seem work. I have reject rules on all subnets, then as a last rule there is a pass rule on IPv4* from this interface and subnet  to !LAN, so AFAIK it should go everywhere, but the LAN as access to all subnets is already blocked only the Internet (WAN) should remain? But as I enable this rule I can access devices in the LAN, the moment I disable this rule access is blocked???

    Thanks for any help, cheers Qinn


  • LAYER 8 Global Moderator

    you really need to post a screen shot of your rules if you want people to chim in on why they may or may not do what you want.



  • @johnpoz offcourse….btw is it maybe the 1st rule (default rule) on the LAN for port 22/80/443 that is the "culprit"?




  • I don't see any inverted rules in your screenshot.



  • btw is it maybe the 1st rule (default rule) on the LAN for port 22/80/443 that is the "culprit"?

    That first rule, the Anti-Lockout Rule, is there to make sure you don't do something dumb and literally lock yourself out of the GUI or SSH.  That's all.


  • LAYER 8 Global Moderator

    Nope don't see any ! or inverted rules..



  • you are both right ofcourse, I only thought that if this default rule is there it will always allow access to the LAN, whatever rule you than create in any other subnet.

    So here is the rule set for the WLAN subnet



  • LAYER 8 Global Moderator

    so your wlan net would allow anything that is NOT lan net.

    I use the same sort rules and have no issues with them.. Derelict would suggest you just change that to a specific block/reject that you put above your allow any..  And this is cleaner way to look at rules.. But the ! lan net should work… I use them on all my vlans that I block access to any of my other vlans with a ! rfc1918 alias I created.. So this allows access to internet but blocks all access to any of my other vlans which are all in rfc1918 space.

    Keep in mind states could still be active that would allow traffic, and if your using vips there were some issues with ! rules I do believe..

    If your concerned with the ! rule, just put a block/reject rule above it that specifically blocks access to lan net.

    Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated as traffic enters an interface.

    Do you have anything in floating that might allow the traffic before the wlan rules are even evaluated?



  • Thanks for all your time, well this rule should block access to the LAN, Yet here, it doesn't. I have removed the inverted rule to the LAN and access to the LAN subnet was gone.  Then I added a block tot the LAN added 6 allow WLAN to anywhere for port 80-443-21-25-110-143
    I have no idea why this inverted rule doesn't do it's work any more. As I hate things I do not understand, can I check if the GUI makes the acquired chances to the pf firewall rules using the CLI?


  • LAYER 8 Global Moderator

    states might of been active when you put in a rule that blocks you have to kill any active states.



  • I understand that, but after I disabled the inverted rule, I could not access the webgui of a managed switch (as example) the moment I enabled it, I could  :o


  • LAYER 8 Global Moderator

    managed switch where?  That rules says you can go anywhere you want as long as not lan net which is what nat network?  you have a bunch of other networks there..

    So if say network of lan was 192.168.1.0/24 that rule says you can go anywhere you want as long as dest is not 192.168.1.0/24… It could be some downstream network that you get to via lan net even, etc.  Maybe you are running vip with different layer 3 on lan net... Have seen lots of people think its ok to run multiple layer 3 on the same layer 2..

    If you were running say 192.168.2/24 on your lan network that would of be allowed since lan net just expands to the network you have on your lan interface nothing more.



  • @johnpoz:

    rfc1918 alias I created.. So this allows access to internet but blocks all access to any of my other vlans which are all in rfc1918 space.

    Could you give an example of this? I have 7 VLAN's and it's a lot of work to block everyone manually?

    Cheers Qinn



  • Create an alias.
    Add the subnets
    192.168/16
    172.16/12
    10/8
    Call the alias RFC1918


  • LAYER 8 Global Moderator

    ^yup that is what I have exactly




  • Thanks to you both!!

    Could you show me an example how to in the rules?

    Cheers Qinn



  • @johnpoz:

    ^yup that is what I have exactly

    I now have this, I have only allowed port 53 on the gateway, this seems enough. Maybe a stupid question, but why don't it need an open port on dhcp, orto rephrase that why does it get an IP address?



  • LAYER 8 Global Moderator

    When you enable dhcp server, pfsense creates rules that are not shown in the gui.  There are a few rules like this.

    Here is the thing if they didn't auto create the dhcp rules - every other day there would be a question about dhcp not working.. Did you create the firewall rules, lets see them because 999.99999 out of 100 you did it wrong ;)

    If you are wanting to block guests to all things yours.  Is your wan public or rfc1918?  Since your guest could hit your gui via the wan IP coming from the "lan" side like they are..  This is the good use of "this firewall" built in alias.  This is any IP the firewall has.

    I personally would allow ping to the pfsense address, so you can validate your guest can talk to pfsense.. And you sure you want guest to only have tcp outbound?  So you don't want them to be able to ping anything out on the internet or use udp?



  • @johnpoz:

    When you enable dhcp server, pfsense creates rules that are not shown in the gui.  There are a few rules like this.

    Here is the thing if they didn't auto create the dhcp rules - every other day there would be a question about dhcp not working.. Did you create the firewall rules, lets see them because 999.99999 out of 100 you did it wrong ;)

    If you are wanting to block guests to all things yours.  Is your wan public or rfc1918?  Since your guest could hit your gui via the wan IP coming from the "lan" side like they are..  This is the good use of "this firewall" built in alias.  This is any IP the firewall has.

    I personally would allow ping to the pfsense address, so you can validate your guest can talk to pfsense.. And you sure you want guest to only have tcp outbound?  So you don't want them to be able to ping anything out on the internet or use udp?

    Aha, I did not know that about port 67 (DHCP), it seems logic.

    I don't understand what you mean here  "Is your wan public or rfc1918?" could you explain a bit more? Although, I don't understand it Yet, I think I have added that rule, I choose a reject or would you advise a block?



  • LAYER 8 Global Moderator

    "Is your wan public or rfc1918?" could you explain a bit more?"

    Huh?  How is it you just created a alias for rfc1918 space but you do not know what it is?

    If your wan starts with 10.x or 172.16-31.x or 192.168.x then its rfc1918 and your alias rule would block all access.  If it was public say 62.14.45.x then your rule would not block it and your allow on the bottom would users hit your wan IP, ie the gui or ssh etc. from this network.

    Rules are evaluated at they enter a interface, top down first rule to trigger wins, no other rules are evaluated.  So while default on wan is deny - that is when your coming from the WAN direction towards pfsense.  If your behind pfsense you can hit that IP all day long on any service listening on it.  This is where the "this firewall" rule alias comes in handy.  For example maybe you want opt1 net to go to your lan net to get to stuff.  But you don't want opt1 net to be able to get to the web gui on the lan IP..


  • LAYER 8 Netgate

    That rule will not block access to the internet even if the WAN is RFC1918-addressed. It would block access to the things on WAN net like the ISP gateway in that case.



  • @johnpoz:

    "Is your wan public or rfc1918?" could you explain a bit more?"

    Huh?  How is it you just created a alias for rfc1918 space but you do not know what it is?

    Well I know what RFC1918 means (private subnets), but I don't understand that a WAN could be part of that? To my best of my knowledge, WAN always means not private subnet. So I hope you can provide me with an practical example so I can understand it.

    I also still don't understand that my xDSL modem has a RFC1980 address and is accessible as it is on the WAN side, but it works.

    LAN–--------------WAN---------------xDSLModem (Draytek 130 in PPPoA to PPPoE bridge mode)
    192.168.1.x      83.161.x.x          192.168.100.1



  • @Derelict:

    That rule will not block access to the internet even if the WAN is RFC1918-addressed. It would block access to the things on WAN net like the ISP gateway in that case.

    Hmmm, trying to grasp that one…



  • That rule will only block packets that has a destination matching a RFC1918 address.
    The internet is "everything but RFC1918" , so no destination match.

    Rules matches an (end) destination.

    /Bingo


  • LAYER 8 Global Moderator

    "WAN always means not private subnet"

    Wan is just something that is not local to you - ie the internet is a wan, your wan side connection to the internet is just your transit network to networks other than your local networks.

    There are many reasons why your wan IP could be rfc1918.. your ISP is doing carrier grade nat.  Your behind your isp router that does not allow bridge mode and so your behind a double nat.  Pfsense is just a downstream router in a larger network, etc..

    My point was if you don't want users on that network to be able to get to web gui, you would need to block your wan IP if it was public - if your wan was rfc1918 then your rule would block that access as well.

    Seems users have a real problem with what a wan actually is - all your wan network is the transit network to networks that are not your..  Putting rules like blocking access or allowing access to wan net is just that that actual network be it some rfc1918 because your behind a nat router or carrier grade nat or be a public segment that can route on the network and is just some segment off the ISP network, etc.



  • @bingo600:

    That rule will only block packets that has a destination matching a RFC1918 address.
    The internet is "everything but RFC1918" , so no destination match.

    Rules matches an (end) destination.

    /Bingo

    Thanks!



  • @johnpoz:

    "WAN always means not private subnet"

    Wan is just something that is not local to you - ie the internet is a wan, your wan side connection to the internet is just your transit network to networks other than your local networks.

    There are many reasons why your wan IP could be rfc1918.. your ISP is doing carrier grade nat.  Your behind your isp router that does not allow bridge mode and so your behind a double nat.  Pfsense is just a downstream router in a larger network, etc..

    My point was if you don't want users on that network to be able to get to web gui, you would need to block your wan IP if it was public - if your wan was rfc1918 then your rule would block that access as well.

    Seems users have a real problem with what a wan actually is - all your wan network is the transit network to networks that are not your..  Putting rules like blocking access or allowing access to wan net is just that that actual network be it some rfc1918 because your behind a nat router or carrier grade nat or be a public segment that can route on the network and is just some segment off the ISP network, etc.

    Thanks, for explaining it!

    What I also would like to know is, why does anyone who only wants to, lets say guests, give access to the internet, do it like, block everything and as a last rule grant access to everywhere.

    Why not, as in pfSense by default everything is blocked (apart from port 67 DHCP), only grant access to the internet?


  • LAYER 8 Global Moderator

    Huh??  Any firewall out there the default is always deny.. Unless your talking some off the shelf router designed for users on 1 flat network and pretty much all it does is NAT.

    Out of the box this is how pfsense will act for the 1st network "lan" buy creating a any any rule.  But if you create new networks you would have to put in the rules you want.  But the internet is made up of lots of networks.. As stated pretty much any IP that does not fall to rfc1918 is internet.. Other than some other special networks and the few that have not been assigned, etc.  But in general if not rfc1918 space its the "internet"

    There are many protocols on the internet not just tcp, udp and icmp..  You never know what exactly a client behind pfsense will need to go and do.. So if you want to allow internet its general you create a any any rule.  You can always limit that how you see fit.

    How exactly would you create dest that was "internet"??  It really could be anything.



  • In the rules I have (see attachment), with the last rule, I grant the guests to access anything anywhere, so at that point, I throw out the default rule that everything is blocked. IMHO it would be better, when there is a default rule that block you to go anywhere, not to through this away at the last rule.

    @johnpoz:

    Huh??  Any firewall out there the default is always deny.. Unless your talking some off the shelf router designed for users on 1 flat network and pretty much all it does is NAT.

    Out of the box this is how pfsense will act for the 1st network "lan" buy creating a any any rule.  But if you create new networks you would have to put in the rules you want.  But the internet is made up of lots of networks..As stated pretty much any IP that does not fall to rfc1918 is internet.. Other than some other special networks and the few that have not been assigned, etc.  But in general if not rfc1918 space its the "internet"

    There are many protocols on the internet not just tcp, udp and icmp..  You never know what exactly a client behind pfsense will need to go and do.. So if you want to allow internet its general you create a any any rule.  You can always limit that how you see fit.

    How exactly would you create dest that was "internet"??  It really could be anything.

    Maybe it's stupid qeustion, but to me it would seem logical that if I would create a pass rule from Guest net to WAN net, it would give internet access to the guests. Than one rule would be enough, as everything else will be blocked by the default rule.




  • @Qinn:

    In the rules I have (see attachment), with the last rule, I grant the guests to access anything anywhere, so at that point, I throw out the default rule that everything is blocked. IMHO it would be better, when there is a default rule that block you to go anywhere, not to through this away at the last rule.

    @johnpoz:

    Huh??  Any firewall out there the default is always deny.. Unless your talking some off the shelf router designed for users on 1 flat network and pretty much all it does is NAT.

    Out of the box this is how pfsense will act for the 1st network "lan" buy creating a any any rule.  But if you create new networks you would have to put in the rules you want.  But the internet is made up of lots of networks..As stated pretty much any IP that does not fall to rfc1918 is internet.. Other than some other special networks and the few that have not been assigned, etc.  But in general if not rfc1918 space its the "internet"

    There are many protocols on the internet not just tcp, udp and icmp..  You never know what exactly a client behind pfsense will need to go and do.. So if you want to allow internet its general you create a any any rule.  You can always limit that how you see fit.

    How exactly would you create dest that was "internet"??  It really could be anything.

    Maybe it's stupid qeustion, but to me it would seem logical that if I would create a pass rule from Guest net to WAN net, it would give internet access to the guests. Than one rule would be enough, as everything else will be blocked by the default rule.

    The guest net is the network attached to the guest interface.
    The WAN net is the network attached to the WAN interface.
    –> Not the internet.



  • @GruensFroeschli:

    The guest net is the network attached to the guest interface.
    The WAN net is the network attached to the WAN interface.
    –> Not the internet.

    –-> Not the internet :o , do you mean the ISP and where is it (meaning the internet) then connected to?



  • The internet is mostly the inverse of RFC1918:
    All subnets which are not private.
    There are some other special cases like RFC3927 (169.254/16)
    Take a look at https://en.wikipedia.org/wiki/IPv4#Special-use_addresses.

    When you create a rule with as destination "WAN net" then it means exactly that:
    The network between you and your ISP.
    Generally not what you want.

    When you mean "the internet", you usually mean "any".



  • The WAN network is the directly connected network segment that is reachable from the WAN interface via ARP (hosts that are in the same broadcast domain talk to each other with the assistance of ARP), that's the simplest way to put it. In other words connections to that network segment from the WAN interface on pfSense can be done without the assistance of the gateway (the default gateway of pfSense) on the WAN network.

    You have to grasp what a connection means in internet terms. It's simply one or more IP packets sent from sending host to a destination address and the destination address in the IP packets (also source address if desired) is what pfSense uses for filtering. What is used as the transport (routers etc.) between the sending host and the destination address doesn't matter for the firewall rules, that information is not available for filtering on pfSense, all filtering is done based on the information available in the IP headers of the IP packets flowing trough the filtering engine.



  • Aha, thanks to you both for explaining that to me, the concept WAN not being Internet was never clear to me.



  • Back on topic, I still don't understand what is wrong (as I can't believe inverted rule are broken).
    I added my rule set on the WLAN interface and have logging enabled first with the inverted rule enabled and the log file that confirms a user passing from WLAN to LAN (192.168.5.46 to 192.168.1.1), which I do not understand and to the best of my knowledge should be possible with the inverted rule enabled.
    Then just as a check I disable the inverted rule and as you can see access to the LAN is blocked?

    Again thanks for any help advise on this,

    Cheers Qinn

    ![01-inverted rule enabled.png](/public/imported_attachments/1/01-inverted rule enabled.png)
    ![01-inverted rule enabled.png_thumb](/public/imported_attachments/1/01-inverted rule enabled.png_thumb)
    ![02-inverted rule detail.png](/public/imported_attachments/1/02-inverted rule detail.png)
    ![02-inverted rule detail.png_thumb](/public/imported_attachments/1/02-inverted rule detail.png_thumb)
    ![03 -inverted rule enabled log.png](/public/imported_attachments/1/03 -inverted rule enabled log.png)
    ![03 -inverted rule enabled log.png_thumb](/public/imported_attachments/1/03 -inverted rule enabled log.png_thumb)
    ![04 -inverted rule disabled .png](/public/imported_attachments/1/04 -inverted rule disabled .png)
    ![04 -inverted rule disabled .png_thumb](/public/imported_attachments/1/04 -inverted rule disabled .png_thumb)
    ![05 -inverted rule disabled log.png](/public/imported_attachments/1/05 -inverted rule disabled log.png)
    ![05 -inverted rule disabled log.png_thumb](/public/imported_attachments/1/05 -inverted rule disabled log.png_thumb)


  • LAYER 8 Netgate

    OK do this.

    Replace that ! rule on WLAN with two rules:

    One that blocks traffic from WLAN Net to LAN net

    Followed by:

    One that passes traffic from LAN WLAN net to any.

    Does it work now?



  • @Derelict:

    OK do this.

    Replace that ! rule on WLAN with two rules:

    One that blocks traffic from WLAN Net to LAN net

    Followed by:

    One that passes traffic from LAN net to any.

    Does it work now?

    I think that were you wrote the pass from LAN, you meant it WLAN instead…
    Well I did that any it works as it should, reading from the logs. To the best of my knowledge you replaced the inverted rule by 2 seperate rules and this works  :o

    ![06 WLAN rules.png](/public/imported_attachments/1/06 WLAN rules.png)
    ![06 WLAN rules.png_thumb](/public/imported_attachments/1/06 WLAN rules.png_thumb)
    ![07 WLAN log.png_thumb](/public/imported_attachments/1/07 WLAN log.png_thumb)
    ![07 WLAN log.png](/public/imported_attachments/1/07 WLAN log.png)


  • LAYER 8 Global Moderator

    What is the actual lan net?  Lets see how you have that setup.. And what is the actual address of lan?

    Please post all you rules with this command.

    https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset

    So you have any vips setup?



  • Thanks johnpoz, I will report back asap (later this evening).


  • LAYER 8 Global Moderator

    Here.. My wlan is secured wifi network.  With a few wired hosts on it.. To get on the wireless you have to have a cert it uses eap-tls to auth.  Anyhow - so its a trusted network and I allow it do anything it wants so any any rule.

    So the wlan network is 192.168.2/24 with pfsense being 192.168.2.253
    Lan is 192.168.9/24 with pfsense having 192.168.9.253

    So on a client on the wlan network you can see 192.168.2.11, with first set of rules I can ping pfsense lan IP at 192.168.9.253

    I then change the any any rule to be ! lan net, as you can then see from 2nd ping that I can not get there with 11 lost packets when I try and ping.  So clearly you got something ODD going on there there.. A listing of your full rules when you have the ! lan net rule in play will help us track down what that oddness is.  Do you have any vips setup on wlan or lan?  Are you doing policy routing anywhere?  Do you have the disable neg rules set in advanced (firewall&nat)

    Disable Negate rules
    Disable Negate rule on policy routing rules With Multi-WAN it is generally desired to ensure traffic reaches directly connected networks and VPN networks when using policy routing. This can be disabled for special purposes but it requires manually creating rules for these networks.



Log in to reply