"Unterstanding" Problem with Firewall Ruleset

  • Hello Community,

    i've got a Problem with understanding of Ruleset i think.
    I've got the following scenario:

    LAN Interface with different rules. Everything working fine and as expected here.
    OPT1 Interface. What i want here, is, that a client is able to reach the internet with every port open but NOT able to reach anything in LAN1. So what i've got now (to get that working) is:

    OPT1 Rule 1: DENY IPv4+6 OPT1 NET * LAN NET * *
    OPT2 Rule 2: ALLOW IPv4+6 OPT1 NET * * *

    What i mean is, first i have to DENY everything from OPT1 to LAN and then i say allow everyting again.

    Is that a good solution for what i want?
    Isn't it possible to get that working with one rule? I tried it with one rule like allow traffic from OPT1 to WAN NET but that didn't work.

    Can someone give me a hint here?

    Regards and thanks a lot,


  • "WAN net" is the network which is defined on the WAN interface, not the whole Internet. It's like "LAN net" is only the LAN network.

    You may do what you want to achieve by only one rule if you are well knowing what you do here, otherwise that's a bit dangerous:

    Set a PASS rule:
    source = OPT1 net
    destination: check "invert match" and select "LAN net"

    This allows traffic to anywhere but LAN network.

  • Thank you a lot, that means it would be okay like it is?
    I Just want to know "best practice" for this case.

  • I'm using rules like this one. For me it's the best practice. 😉

  • One thing in addition:
    I've defined an alias including all RFC1918 subnets and use that alias in the rule instead of LAN net or whatever to allow access to anywhere but my internal network.
    So that rule is safe even when I change a network or add one.

    However, this permits access to the pfSense interface address as well. So if you want your OPT device to use pfSense for DNS resolution you have to add an additional rule to allow that. I do this by one floating rule with Quick option checked for all my internal interfaces together.

Log in to reply