Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    "Unterstanding" Problem with Firewall Ruleset

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 2 Posters 321 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      bstanger
      last edited by

      Hello Community,

      i've got a Problem with understanding of Ruleset i think.
      I've got the following scenario:

      LAN Interface with different rules. Everything working fine and as expected here.
      OPT1 Interface. What i want here, is, that a client is able to reach the internet with every port open but NOT able to reach anything in LAN1. So what i've got now (to get that working) is:

      OPT1 Rule 1: DENY IPv4+6 OPT1 NET * LAN NET * *
      OPT2 Rule 2: ALLOW IPv4+6 OPT1 NET * * *

      What i mean is, first i have to DENY everything from OPT1 to LAN and then i say allow everyting again.

      Is that a good solution for what i want?
      Isn't it possible to get that working with one rule? I tried it with one rule like allow traffic from OPT1 to WAN NET but that didn't work.

      Can someone give me a hint here?

      Regards and thanks a lot,

      Benjamin

      1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann
        last edited by

        "WAN net" is the network which is defined on the WAN interface, not the whole Internet. It's like "LAN net" is only the LAN network.

        You may do what you want to achieve by only one rule if you are well knowing what you do here, otherwise that's a bit dangerous:

        Set a PASS rule:
        IPv4+6
        source = OPT1 net
        destination: check "invert match" and select "LAN net"

        This allows traffic to anywhere but LAN network.

        1 Reply Last reply Reply Quote 2
        • B Offline
          bstanger
          last edited by

          Thank you a lot, that means it would be okay like it is?
          I Just want to know "best practice" for this case.

          1 Reply Last reply Reply Quote 0
          • V Offline
            viragomann
            last edited by

            I'm using rules like this one. For me it's the best practice. 😉

            1 Reply Last reply Reply Quote 1
            • V Offline
              viragomann
              last edited by viragomann

              One thing in addition:
              I've defined an alias including all RFC1918 subnets and use that alias in the rule instead of LAN net or whatever to allow access to anywhere but my internal network.
              So that rule is safe even when I change a network or add one.

              However, this permits access to the pfSense interface address as well. So if you want your OPT device to use pfSense for DNS resolution you have to add an additional rule to allow that. I do this by one floating rule with Quick option checked for all my internal interfaces together.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.