Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Floating Rules - Interface, Direction and Source/Destination

    Firewalling
    2
    3
    323
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SimpleOne last edited by

      Question about a floating rule and Interface group.

      I have two OPT interfaces for corp WAN links, which I've added under an Interface Group called IG_CORP_WAN. There is no NAT here, it's just routed.

      For now, I want to:

      1. Allow the firewall from any of it's interface IP's, to talk outbound over IG_CORP_WAN to hosts on the corp WAN subnets.
      2. Allow hosts on the corp WAN to talk inbound to the firewall and all it's interface IP's, over IG_CORP_WAN.

      Can I do this with just one floating rule, or do I have to keep the two that I have specified at the moment?

      Rule 1:
      Dir: Out
      Int: IG_CORP_WAN
      Source: This Firewall.
      Destination: Any (no routes other than corp wan subnets pointed out this interface).

      Rule 2:
      Dir: In
      Int: IG_CORP_WAN
      Source: Alias (Corp WAN subnets)
      Destination: This Firewall.

      I was wondering if/how I could use a floating rule with a direction of 'any' to achieve the above in one rule?

      Cheers

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        No. Traffic is passed as it enters an interface.

        There is no reason to use floating rules here.

        Make an interface group for all of your internal interfaces too.

        Then on the interface group tabs for the WANs and LANs place a pass any any any rule.

        Or make a floating rule, select all interfaces, direction in, and pass any any any.

        It sounds like you have traffic passing into the firewall from LAN sources based on interface rules on those. If that is the case you only need the rules on the WAN to also pass traffic for connections flowing inbound from there.

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • S
          SimpleOne last edited by

          Thanks Derelict. My tinkering led me to the same conclusion. The only other thing to watch here is the nature of the 'reply-to' (or more specifically the absence thereof) and how that can bite one in the ass.

          A further question you might be able to help with that is currently doing my head in:

          If you have multiple interfaces, split across two separate interface groups (IG_1, IG_2) and want to allow IPv6 multicast (site-local, organisation-local) in and out both IG's when the source is from either:

          1. An IPv6 unicast address that within a subnet of an interface that is a memeber of eithe of the IG's, or,
          2. Any of the well known IPv6 addresses (fe80::/16 etc)
            How would you go about doing it?

          Specifically, I want to allow that traffic in and out the interface groups, but not allow it to leak out to other IG's or interfaces, and likewise, not allow multicast to leak in from other IG's or interfaces?

          This might be simple, but I've fried my brain trying to work out the clearest approach to solving it...

          Cheers

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy