Having trouble with LAN block/reject rules - End game is to be able to block internet traffic for these devices by toggling on rule.



  • I am unable to block internet traffic with the LAN firewall rules I have created regardless on if the rule is set to "reject" or "block". I can verify that the devices are getting the correct IP addresses. When I toggle/enable one of these rules internet traffic continues for the device even after I reset the states table as well.
    At one point when I first set up this device I was able to verify that a couple of the rules were working. The only additional change I made since this ws working is - Disabling IPV6: System>Advanced>Networking> Uncheck Allow IPV6 Traffic and I disabled DHCPv6 Relay: Services>DHCPv6 Relay.

    Do I need to remove these rules and recreate them as "floating rules" for this to work ? My end game is to be able to disable internet traffic on these devices on the fly by toggling the rule to enabled. I am including screenshots below of how I have set up these rules I have edited the screenshots to remove some of my family members names:


  • Rebel Alliance



  • @ptt
    Thanks after reading through these again setting these rules as floating rules has appeared to resolve the issue for me.


  • LAYER 8 Global Moderator

    @TupleButter said in Having trouble with LAN block/reject rules - End game is to be able to block internet traffic for these devices by toggling on rule.:

    When I toggle/enable one of these rules internet traffic continues for the device even after I reset the states table as well.

    And where did you put them - rules are evaluated top down.. first rule to trigger wins.. If you put them below the default any any they would never trigger.

    If you want help with rules - Post a picture..



  • @johnpoz
    Sorry Johnpoz I pulled the screenshots after reading back through the provided links as previously suggested.... And you are correct they were below the default LAN any any... recreating them as floating is working.


  • LAYER 8 Global Moderator

    While placing rules on floating is a method of getting them to be evaluated before the rules on an interface.. Its almost always better to put them actually on the interface so its easier to see exactly what is going on. While looking that the interface..

    Other wise you might be like - why is this not working, when you have a rule on floating blocking it or allowing it, etc.



  • @johnpoz
    Thanks I appreciate the heads up as I create more rules in the future I will keep this in mind. For now I will use the separators to organize.


  • LAYER 8 Global Moderator

    Not sure what that has to do when rules are not on the interface you would be looking at ;)

    It is very simple to put rules in order - there is really no reason to put them on floating.. But whatever works for you - but if you ever come asking for help and someone ask you to post your rules to help you... You need to be CLEAR that you also have floating rules and post those..


  • LAYER 8 Netgate

    cat /tmp/rules.debug


  • LAYER 8 Global Moderator

    Yeah that is easy to look at ;)



  • @johnpoz I know you are extremely knowledgeable about these devices and very active/helpful on this forum so I wanted to stress that I did not mean for my response to come across rude. I read through the Netgate kb's @ptt provided for me above and determine my mistake. I then deleted the screenshots I had included earlier after I determined the issue. In the future as I have an issue I will be sure to continue to include my screenshots of the issue. Thanks again for your diligence on this !
    You are also correct in the fact that I will not keep these as "floating" rules rather on the appropriate interfaces. I have never gone hands on with pfsense prior to ordering these devices but eventually with more reading/doing I will better know my way around the appliance. Thanks again for your patience with me on this !


  • LAYER 8 Global Moderator

    Don't be worried about being "rude" -- not to me at least... You can call me an idiot if you want, etc. Unlike many people on the internet who identify as 13 year old girls on their first period ;) My skin is a bit thicker than that..

    I would be more than happy to exchange F bombs if you so wished, etc.. I spent 16 years in the Navy (6 active, 10 reserve)... I don't think it would be possible for me to take something as "rude" now you might piss me off... But take offense - prob not, think your a "____" sure ok... But still be happy to help you understand/fix a technical issue..

    So please also understand if I might sound blunt, or even rude - I am not meaning to be.. I am blunt/direct sort, I don't really like to play nicey nicey worried about if calling you an idiot will hurt your feelings ;) What I am trying to get you to do is understand what your doing is not correct - if you know what I mean.

    Now I do try and play nice, mostly because of the whole mod thing - might not look right going around calling users dip shits, etc. But if I did - it wouldn't be personal, the world is full of dip shits ;)

    But thanks - and rest assured I was in no way offended or think what you stated was rude.. Play around with doing rules.. And you find unless you have a really good reason, its just simpler to keep them on the interface where they are being applied so you can see them when your creating other new rules for that interface, etc.


Log in to reply