GUI Diagnostics Ping not blocking



  • Hello I create a firewall rule to block all traffic from LAN2 to LAN1. When I use computers on LAN2 they indeed get ping timeouts and cannot visit http on LAN1, but when I use the Web GUI's Diagnostics -> Ping feature to ping a specific IP on LAN1 and use LAN2 interface as the source the pings work and do not timeout. Why is that?



  • The firewall rule is applied to incoming packets on the particular interface, but not an packets from pfSense itself.
    I.e. the ping option is not meant for testing rules.



  • The documentation for example says:

    Source Address: The IP address from which the ping will be sent. This is especially important when testing LAN-to-LAN VPN connectivity.

    Therefore I dont see how this is different from trying to test block rules?



  • https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-basics.html?highlight=firewall rule basics
    Check out the very first sentence.

    Pings from the pfSense itself do not enter an interface.

    The source address is the part of every IP packet. The source address may be set to the LAN address or what ever, but the ping comes from pfSense itself and doesn't enter an interface.
    That function is meant for diagnostic network problems, but not to test firewall rules.


Log in to reply