Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Difference between "ANY" & "Interface Net" as source

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 819 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • imcdonaI
      imcdona
      last edited by imcdona

      What is the difference between choosing "ANY" vs "LAN net" as the source when configuring a firewall rule on the LAN interface?

      The manual states:

      any - 0.0.0.0 to 255.255.255.255, or all IPv6 addresses

      LAN net - The subnet configured on the LAN interface under Interfaces > LAN. On pfSense 2.2+, this also

      According to the above statements from the manual, choosing "ANY" vs "Interface Address" will get you the same result if your intent is to specify all hosts. When might one choose one over the other? Is there a best practice?

      BabizB 1 Reply Last reply Reply Quote 0
      • BabizB
        Babiz @imcdona
        last edited by

        @imcdona thank you for this question. 🦌
        Well you can test by yourself if is some interesting notice to report happen!
        So , please make first session test with default pfSense configuration loaded, and at the end of first testing stuffs, please go to :
        Firewall / NAT / Outbond and swap the Outbond nat mode from Auto to Manual Outbound NAT rule generation.
        (AON - Advanced Outbound NAT)disable auto rule generation , save new configuration and reboot for make new test session with auto rule generation disabled.

        Thanks for your time 😎

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Any is just that. Any address.

          It is generally best practice to only allow traffic into your firewall that should be allowed in.

          There is generally no reason to allow traffic into LAN that is not sourced from an address on LAN Network.

          When you get into allowing traffic in from downstream routers the traffic you need to pass into an interface can expand.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          imcdonaI 1 Reply Last reply Reply Quote 2
          • imcdonaI
            imcdona @Derelict
            last edited by

            @derelict said in Difference between "ANY" & "Interface Net" as source:

            When you get into allowing traffic in from downstream routers the traffic you need to pass into an interface can expand.

            Brain fart...Duh! 🤦 I suppose I got sidetracked when I interpreted "Lan net" to mean "anything behind the lan interface" as opposed to the networks directly attached to the LAN interface.

            Thanks for that clarification.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.