Floating Rules - Interface, Direction and Source/Destination

  • Question about a floating rule and Interface group.

    I have two OPT interfaces for corp WAN links, which I've added under an Interface Group called IG_CORP_WAN. There is no NAT here, it's just routed.

    For now, I want to:

    1. Allow the firewall from any of it's interface IP's, to talk outbound over IG_CORP_WAN to hosts on the corp WAN subnets.
    2. Allow hosts on the corp WAN to talk inbound to the firewall and all it's interface IP's, over IG_CORP_WAN.

    Can I do this with just one floating rule, or do I have to keep the two that I have specified at the moment?

    Rule 1:
    Dir: Out
    Int: IG_CORP_WAN
    Source: This Firewall.
    Destination: Any (no routes other than corp wan subnets pointed out this interface).

    Rule 2:
    Dir: In
    Int: IG_CORP_WAN
    Source: Alias (Corp WAN subnets)
    Destination: This Firewall.

    I was wondering if/how I could use a floating rule with a direction of 'any' to achieve the above in one rule?


  • LAYER 8 Netgate

    No. Traffic is passed as it enters an interface.

    There is no reason to use floating rules here.

    Make an interface group for all of your internal interfaces too.

    Then on the interface group tabs for the WANs and LANs place a pass any any any rule.

    Or make a floating rule, select all interfaces, direction in, and pass any any any.

    It sounds like you have traffic passing into the firewall from LAN sources based on interface rules on those. If that is the case you only need the rules on the WAN to also pass traffic for connections flowing inbound from there.

  • Thanks Derelict. My tinkering led me to the same conclusion. The only other thing to watch here is the nature of the 'reply-to' (or more specifically the absence thereof) and how that can bite one in the ass.

    A further question you might be able to help with that is currently doing my head in:

    If you have multiple interfaces, split across two separate interface groups (IG_1, IG_2) and want to allow IPv6 multicast (site-local, organisation-local) in and out both IG's when the source is from either:

    1. An IPv6 unicast address that within a subnet of an interface that is a memeber of eithe of the IG's, or,
    2. Any of the well known IPv6 addresses (fe80::/16 etc)
      How would you go about doing it?

    Specifically, I want to allow that traffic in and out the interface groups, but not allow it to leak out to other IG's or interfaces, and likewise, not allow multicast to leak in from other IG's or interfaces?

    This might be simple, but I've fried my brain trying to work out the clearest approach to solving it...


Log in to reply