Firewall rule source address

  • Hello!

    I am writing a firewall rule for the LAN interface.
    When would I not use "LAN Net" a the source for that rule?

    I see many example LAN rules using "*" as the source.
    Is that the same as "LAN Net"?


  • Of course, it's not the same. "LAN net" is the network you've assigned to the LAN interface, while "*" means really any address.

    "LAN net" as source in a rule will fit in most cases, since the rule is for device within the LAN network.
    However, there may be rare cases, where you need any. For instance if there is another router connected to the LAN, which routes traffic from another subnet or from the internet to the pfSense LAN interface meant for a device connected to a further pfSense interface. The source address of theses packets will be out of the LAN net range.

  • Hello!

    I think I understand. I am not great with routing.

    If another router is connected to my LAN Net, wouldn't its WAN address have to be an address in my LAN Net, and any packet it sends through my LAN would then have a LAN Net address as its source address? If not, how would I reply or respond back to it?

    I guess my primary concern would be suppressing any packets that try to enter the LAN interface with a forged source address. I feel like one of the first rules for a LAN interface should be to drop/reject any packets that don't have a LAN Net source address (!LAN Net).

    Maybe that wont work.


  • LAYER 8 Global Moderator

    If your downstream router is doing nat, then yes its "wan" address would be in your lan net and you would have no issues.

    It almost every case the source network is going to be the networks net, ie lan, opt, dmz net, etc.. Whatever other networks you create.

    Where its not the case would be when you have downstream router(s) and they are not doing nat... But in this case it should be a transit interface in pfsense (no host actually on this network - or you could have asymmetrical routing issues).. So your source would need to include whatever downstream networks your routing to and from via this transit interface. Any would just be a lazy way to include all of them, etc..

    example: Say you had something like this


    In such a case on your firewall rules for source you would want to include all of thos downstream networks, so you could do an alias that contained them, or you could use a mask that included all of them say 192.168.0/22, or just easy with any..

    You could do this in 1 rule, or you could do it in multiple rules.. And more than likely you would also want to include the transit network as well. 172.16.0/30 in this example.

    Another example might be if your running vip on this interface that is not inside your networks IP range - but this is almost always a bad idea to run multiple L3 networks on the same L2.

    edit2: To your dropping !net - this would be taken care of by the default deny at the end (not shown).. Any traffic that is not explicitly allowed by rules would automatically be dropped.. Now if you want to do specific rejects, that is fine too - keep in mind that rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.

    Also use of ! rules or negate rules can be problematic - if say your doing any sort of vips.. It is normally better practice to use explicit rules vs ! sort of allow rules. But sure they can be used depending on your needs.. Just make sure you actually validate they are working how you think they should be working.

Log in to reply