Which incoming and outgoing addresses can occur on an pfSense-interface (gateway)?
I am not sure about the exact definitions and behavior of certain FW fields. However exact knowledge is important to define the FW
Assume we have an interface “LAN-A”
- that LAN-A is responsible for a IPV4 range e.g. 192.168.1.0/24
- and an IPV6-range 2001:4860:4860:1256:: prefix 64
I assume that IP-packages related to that two ranges are forwarded from the pfSense kernel towards that interface, as long as they are not blocked by floating rules.
So no other addresses are forwarded to that LAN. However I think there are two exceptions:
- multicast traffic passing from other LAN’s or eventually internet, by means of site-local, organization-local, global routing or by means of a daemon like IMGP-proxy, or pimp
- traffic forced to be handled by the (WAN) gate way by using the gateway field in the FW-rule
As far a I know there is no other traffic which can arrive on the LAN.
LAN outgoing packages can have four sources, I think
- the IPV4 and IPV6 addresses present on the LAN
o those will normally be the ranges “LAN-A” is responsible for
- other IP-addresses present on the LAN, could be:
assume a fixed IP-address other ranges
automatic assigned address not matching with IPV4 range or IPV6-prefix. As example windows systems without IP-address are automatic assigns itself an 169.254.0.0/16 address
- an address forwarded form another lan/wan by using the gateway field
- virtual IP? (never looked at that)
So this are the addresses which you should/could filter via the FW-source-field (I normally use "LAN net", assuming there should not be other addresses).
Lets have a closer look at that FW-source-field.
The default is “*” which does means “every address is accepted” other options are:
- a specific address
- a specific address-range
- a couple of addresses by means of an alias
- “LAN net” which IMHO equals the IPV4 network and IPV6-prefix as assigned to the LAN-interface
- “LAN address” which IMHO equals the gateway address(es) IPV4 and IPV6. For this LAN
Given that, …. I was quite surprised (!) to see an FW-log entry, with a source address not in line with my expectation of “outgoing-addresses” as explained above
What I saw in the FW-logs, and made me write this “blog”. It seems that I do not understand the behavoir good enough.
I noticed lines with “Interface-A”, “Rule-B” “source-address-C”, where that source address does not exists at all in the given (V)LAN/subnet.
So I hope any one can explain that? And/or can improve my descriptions above?
JKnott last edited by
that LAN-A is responsible for a IPV6 range e.g. 192.168.1.0/24
I trust that's a typo and you meant IPv4.
As for you questions, consider IPv4 and IPv6 to be completely independent. One has nothing to do with the other. That reduces your source choices to LAN side and WAN side for either.
Also, what do you mean by "packages"? Packets perhaps?
If you have a DHCP server, you should never see an address in the 169.254.0.0 /16 range.
You are right of course in relation with the typo's. I did correct them.
In regard to "If you have a DHCP server, you should never see an address in the 169.254.0.0 /16 range"
Yes that should be ….. , however:
- IPV4: I am using wireshark. And that is using a Npcap Loopback Adapter, and guess that gets automatically an address in the 169.254.0.0 /16 (of course I do not allow that range to pass the lan gateway)
- IPV6: there is an interworking problem between pfSense ubound and windows10. For that reason windows does not take the address of the DHCP- / RA-server (Stateless DHCP), but generates its own address. Very annoying. The more if you want to filter on a static mapping / predefined IP.
Any interface can receive packets with any source or destination IP addresses at any time. All it has to be is received with the interface MAC address as the destination in the layer 2 frame (or a broadcast, multicast, etc)
Derelict, thanks for the replay.
To begin with, I made a mistake. The address seen in the logs is a valid level-2 address. So normally I would not have started this topic.
Never the less, since I was thinking about this subject, I was wondering if there could be any non-physical “ip-object” which could be added / occur on the interface, added by the pf-sense router or firewall software or packages like avahi, igmp-proxy, pimpd, etc. (I am desperately trying to get multicast working across vlans, pimpd helps perhaps, imgp-proxy not).
That additional to the GW/interface as bonded to a physical interface or in my case a vlan on a physical interface or lagg. Of course the gateway sees every thing passing by on that interface as stream towards the firewall, I understand.
And next to that upstream there is the downstream, what is send from the FW-router towards that particular GW and from there towards the “physical” interface.