Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Which incoming and outgoing addresses can occur on an pfSense-interface (gateway)?

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 391 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L Offline
      louis2
      last edited by louis2

      Hello,

      I am not sure about the exact definitions and behavior of certain FW fields. However exact knowledge is important to define the FW 😊
      Assume we have an interface “LAN-A”

      • that LAN-A is responsible for a IPV4 range e.g. 192.168.1.0/24
      • and an IPV6-range 2001:4860:4860:1256:: prefix 64

      Incoming packets
      I assume that IP-packages related to that two ranges are forwarded from the pfSense kernel towards that interface, as long as they are not blocked by floating rules.

      So no other addresses are forwarded to that LAN. However I think there are two exceptions:

      • multicast traffic passing from other LAN’s or eventually internet, by means of site-local, organization-local, global routing or by means of a daemon like IMGP-proxy, or pimp
      • traffic forced to be handled by the (WAN) gate way by using the gateway field in the FW-rule
        As far a I know there is no other traffic which can arrive on the LAN.

      Outgoing packets
      LAN outgoing packages can have four sources, I think 😊

      • the IPV4 and IPV6 addresses present on the LAN
        o those will normally be the ranges “LAN-A” is responsible for
      • other IP-addresses present on the LAN, could be:
         assume a fixed IP-address other ranges
         automatic assigned address not matching with IPV4 range or IPV6-prefix. As example windows systems without IP-address are automatic assigns itself an 169.254.0.0/16 address
      • an address forwarded form another lan/wan by using the gateway field
      • virtual IP? (never looked at that)

      So this are the addresses which you should/could filter via the FW-source-field (I normally use "LAN net", assuming there should not be other addresses).

      FW-source-field
      Lets have a closer look at that FW-source-field.
      The default is “*” which does means “every address is accepted” other options are:

      • a specific address
      • a specific address-range
      • a couple of addresses by means of an alias
      • “LAN net” which IMHO equals the IPV4 network and IPV6-prefix as assigned to the LAN-interface
      • “LAN address” which IMHO equals the gateway address(es) IPV4 and IPV6. For this LAN

      Given that, …. I was quite surprised (!) to see an FW-log entry, with a source address not in line with my expectation of “outgoing-addresses” as explained above ☹

      What I saw in the FW-logs, and made me write this “blog”. It seems that I do not understand the behavoir good enough.

      I noticed lines with “Interface-A”, “Rule-B” “source-address-C”, where that source address does not exists at all in the given (V)LAN/subnet.

      So I hope any one can explain that? And/or can improve my descriptions above?

      Thanks,

      Louis

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ Offline
        JKnott @louis2
        last edited by

        @louis2 said in Which incoming and outgoing addresses can occur on an pfSense-interface (gateway)?:

        that LAN-A is responsible for a IPV6 range e.g. 192.168.1.0/24

        I trust that's a typo and you meant IPv4.

        As for you questions, consider IPv4 and IPv6 to be completely independent. One has nothing to do with the other. That reduces your source choices to LAN side and WAN side for either.

        Also, what do you mean by "packages"? Packets perhaps?

        If you have a DHCP server, you should never see an address in the 169.254.0.0 /16 range.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • L Offline
          louis2
          last edited by

          Hello,

          You are right of course in relation with the typo's. I did correct them.
          In regard to "If you have a DHCP server, you should never see an address in the 169.254.0.0 /16 range"

          Yes that should be ….. , however:

          • IPV4: I am using wireshark. And that is using a Npcap Loopback Adapter, and guess that gets automatically an address in the 169.254.0.0 /16 (of course I do not allow that range to pass the lan gateway)
          • IPV6: there is an interworking problem between pfSense ubound and windows10. For that reason windows does not take the address of the DHCP- / RA-server (Stateless DHCP), but generates its own address. Very annoying. The more if you want to filter on a static mapping / predefined IP.

          Sincerely,

          Louis

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            Any interface can receive packets with any source or destination IP addresses at any time. All it has to be is received with the interface MAC address as the destination in the layer 2 frame (or a broadcast, multicast, etc)

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            L 1 Reply Last reply Reply Quote 0
            • L Offline
              louis2 @Derelict
              last edited by

              @Derelict

              Derelict, thanks for the replay.

              To begin with, I made a mistake. The address seen in the logs is a valid level-2 address. So normally I would not have started this topic.

              Never the less, since I was thinking about this subject, I was wondering if there could be any non-physical “ip-object” which could be added / occur on the interface, added by the pf-sense router or firewall software or packages like avahi, igmp-proxy, pimpd, etc. (I am desperately trying to get multicast working across vlans, pimpd helps perhaps, imgp-proxy not).

              That additional to the GW/interface as bonded to a physical interface or in my case a vlan on a physical interface or lagg. Of course the gateway sees every thing passing by on that interface as stream towards the firewall, I understand.

              And next to that upstream there is the downstream, what is send from the FW-router towards that particular GW and from there towards the “physical” interface.

              Louis

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.