Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Floating Rules - Interface, Direction and Source/Destination

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 540 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SimpleOne
      last edited by

      Question about a floating rule and Interface group.

      I have two OPT interfaces for corp WAN links, which I've added under an Interface Group called IG_CORP_WAN. There is no NAT here, it's just routed.

      For now, I want to:

      1. Allow the firewall from any of it's interface IP's, to talk outbound over IG_CORP_WAN to hosts on the corp WAN subnets.
      2. Allow hosts on the corp WAN to talk inbound to the firewall and all it's interface IP's, over IG_CORP_WAN.

      Can I do this with just one floating rule, or do I have to keep the two that I have specified at the moment?

      Rule 1:
      Dir: Out
      Int: IG_CORP_WAN
      Source: This Firewall.
      Destination: Any (no routes other than corp wan subnets pointed out this interface).

      Rule 2:
      Dir: In
      Int: IG_CORP_WAN
      Source: Alias (Corp WAN subnets)
      Destination: This Firewall.

      I was wondering if/how I could use a floating rule with a direction of 'any' to achieve the above in one rule?

      Cheers

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        No. Traffic is passed as it enters an interface.

        There is no reason to use floating rules here.

        Make an interface group for all of your internal interfaces too.

        Then on the interface group tabs for the WANs and LANs place a pass any any any rule.

        Or make a floating rule, select all interfaces, direction in, and pass any any any.

        It sounds like you have traffic passing into the firewall from LAN sources based on interface rules on those. If that is the case you only need the rules on the WAN to also pass traffic for connections flowing inbound from there.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • S
          SimpleOne
          last edited by

          Thanks Derelict. My tinkering led me to the same conclusion. The only other thing to watch here is the nature of the 'reply-to' (or more specifically the absence thereof) and how that can bite one in the ass.

          A further question you might be able to help with that is currently doing my head in:

          If you have multiple interfaces, split across two separate interface groups (IG_1, IG_2) and want to allow IPv6 multicast (site-local, organisation-local) in and out both IG's when the source is from either:

          1. An IPv6 unicast address that within a subnet of an interface that is a memeber of eithe of the IG's, or,
          2. Any of the well known IPv6 addresses (fe80::/16 etc)
            How would you go about doing it?

          Specifically, I want to allow that traffic in and out the interface groups, but not allow it to leak out to other IG's or interfaces, and likewise, not allow multicast to leak in from other IG's or interfaces?

          This might be simple, but I've fried my brain trying to work out the clearest approach to solving it...

          Cheers

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.