Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LAN net (macro) as Source vs specifying any (*) as Source in a rule

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 4 Posters 588 Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      moelassus
      last edited by

      Could someone help me understand the functional difference of creating a Firewall rule on an interface and setting the Source as "LAN net" vs just leaving the source field as Any (*)?

      Thanks!

      K 1 Reply Last reply Reply Quote 0
      • K Offline
        Konstanti @moelassus
        last edited by Konstanti

        This post is deleted!
        1 Reply Last reply Reply Quote 0
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by

          It will only match traffic sourced from the LAN subnet.

          Usually that would be the only traffic you see if the rule is on the LAN interface but if you have other subnets routed via a gateway on the LAN traffic from them would not match.
          It's good practice to use firewall rules that are not unnecessarily open. So if you are passing traffic on the LAN you probably want to use source LAN net to prevent unexpected/incorrect traffic being passed.

          Steve

          M 1 Reply Last reply Reply Quote 1
          • M Offline
            moelassus @stephenw10
            last edited by

            @stephenw10 Thanks that helps clear up that question.

            1 Reply Last reply Reply Quote 0
            • jimpJ Offline
              jimp Rebel Alliance Developer Netgate
              last edited by

              It is even more critical when you have rules with a gateway set. If you allow from a source of * and have a gateway set, it's possible to accidentally cause pf to forward broadcast traffic which could cause a network traffic loop.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 1
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.