Internet only accessible when rules has all interfaces
markwill last edited by markwill
I have had PFSense up and running for a couple of weeks and iteratively using more of it's features. I have a question about firewall rules I hope someone can answer. Let me first validate an assumption I have here.
As I understand the "out the box" configuration in a simple WAN/LAN install is...
a) All incoming traffic from the WAN is blocked
b) All outgoing traffic from the LAN is passed
My setup has three interfaces - WAN, LAN and (let's call it...) OPT2. My assumption here is that when I set up the OPT2 interface, it will NOT pass outgoing (Internet-bound) traffic, by default. In this regard, it's different to the LAN interface, which will pass outbound Internet traffic, by default. As such, I need to create a rule for OPT2 to allow it to access the Internet.
Is that correct? I am assuming so, because this leads to my main question.
. If I try with no rules (for OPT2) I can't access the Internet, which is consistent with my assumption above
. If I create a rule to allow ALL traffic from OPT2 to access ALL interfaces then I can access the Internet
And here's the rub...if I specifically change that rule to only allow access to "WAN network" (as the destination), I am blocked. I want to narrow down my rules as much as I can (I don't like asterisks :)) but I am unable to access the Internet unless I set Destination to Any.
What am I missing?
viragomann last edited by
Yes, pfSense only passes traffic if there is a firewall rule allowing it.
Only on LAN there is a default allow-any rule.
"WAN net" is the network which is defined on the WAN interface. It's like "LAN net" is only the LAN network. So "WAN net" is not any or the whole Internet as you asserted.
So yeah, you have to set the destination to "any" if you want to access any in the Internet.
If you want to prevent OPT2 clients from accessing LAN devices, add a block rule for the destination "LAN net" to OPT2 and put that rule to the top of the rule set. Or more safe, add a block rule for destination RFC1918 (Alias containing all RFC 1918 networks). Since you should only use such networks internally, this rule would block access to any of your networks.
markwill last edited by
Slap on head - the penny just dropped for me! :)
I was, for some reason, considering "WAN network" to imply the next step in the journey to the destination - give access to that and I'm all set. I guess, technically, all I was doing was providing access to any host in the subnet as the IP address my ISP assigns to me :)
Not sure what I was thinking but that makes complete sense now and I thank you.