• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Internet only accessible when rules has all interfaces

Scheduled Pinned Locked Moved General pfSense Questions
3 Posts 2 Posters 809 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    markwill
    last edited by markwill Jan 10, 2020, 3:24 PM Jan 10, 2020, 3:19 PM

    I have had PFSense up and running for a couple of weeks and iteratively using more of it's features. I have a question about firewall rules I hope someone can answer. Let me first validate an assumption I have here.

    As I understand the "out the box" configuration in a simple WAN/LAN install is...

    a) All incoming traffic from the WAN is blocked
    b) All outgoing traffic from the LAN is passed

    My setup has three interfaces - WAN, LAN and (let's call it...) OPT2. My assumption here is that when I set up the OPT2 interface, it will NOT pass outgoing (Internet-bound) traffic, by default. In this regard, it's different to the LAN interface, which will pass outbound Internet traffic, by default. As such, I need to create a rule for OPT2 to allow it to access the Internet.

    Is that correct? I am assuming so, because this leads to my main question.

    . If I try with no rules (for OPT2) I can't access the Internet, which is consistent with my assumption above
    . If I create a rule to allow ALL traffic from OPT2 to access ALL interfaces then I can access the Internet

    And here's the rub...if I specifically change that rule to only allow access to "WAN network" (as the destination), I am blocked. I want to narrow down my rules as much as I can (I don't like asterisks :)) but I am unable to access the Internet unless I set Destination to Any.

    What am I missing?

    Thank you.

    1 Reply Last reply Reply Quote 0
    • V
      viragomann
      last edited by Jan 10, 2020, 3:47 PM

      Yes, pfSense only passes traffic if there is a firewall rule allowing it.
      Only on LAN there is a default allow-any rule.

      "WAN net" is the network which is defined on the WAN interface. It's like "LAN net" is only the LAN network. So "WAN net" is not any or the whole Internet as you asserted.

      So yeah, you have to set the destination to "any" if you want to access any in the Internet.
      If you want to prevent OPT2 clients from accessing LAN devices, add a block rule for the destination "LAN net" to OPT2 and put that rule to the top of the rule set. Or more safe, add a block rule for destination RFC1918 (Alias containing all RFC 1918 networks). Since you should only use such networks internally, this rule would block access to any of your networks.

      1 Reply Last reply Reply Quote 0
      • M
        markwill
        last edited by Jan 10, 2020, 4:10 PM

        @viragomann said in Internet only accessible when rules has all interfaces:

        ti

        Slap on head - the penny just dropped for me! :)

        I was, for some reason, considering "WAN network" to imply the next step in the journey to the destination - give access to that and I'm all set. I guess, technically, all I was doing was providing access to any host in the subnet as the IP address my ISP assigns to me :)

        Not sure what I was thinking but that makes complete sense now and I thank you.

        Mark

        1 Reply Last reply Reply Quote 0
        3 out of 3
        • First post
          3/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received