Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    firewall rule not being applied

    L2/Switching/VLANs
    2
    5
    338
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mrjoli021
      last edited by

      Hello,

      I have a router that has network 10.21.30.0/24. My Pfsense has two physical interfaces WAN (public IP) and LAN.
      My LAN is a trunk port to my internal network. My native Vlan is vlan 30 which is in the 10.21.30.0/24 network.
      I have two other networks
      10.21.20.0/24 Vlan 20
      10.21.21.0/24 Vlan 21

      I dont want any networks talking to each other especially from the Firewall to the router. So both vlan 20 and 21 should be isolated only access to the internet.

      Pfsense has the following private IP's assigned to it.
      10.21.30.10
      10.21.20.1
      10.21.21.1

      I am able to ping from the 10.21.20.0 network to the host 10.21.30.3. When I do a tcpdump I see the pings coming from 10.21.30.10.

      1. Not really sure why pfsense is sending traffic out that interface when the only GW on the Firewall is the WAN all other interfaces do not have a GW.
      2. When I apply the rule below I am still able to ping the host.
        on the interface associated with vlan 20 I have block source 10.21.20.0/24 any 10.21.30.0/24
      3. I apply the changes and save them.

      Any idea what I am doing wrong?

      dotdashD 1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash @mrjoli021
        last edited by

        @mrjoli021 said in firewall rule not being applied:

        I am able to ping from the 10.21.20.0 network to the host 10.21.30.3. When I do a tcpdump I see the pings coming from 10.21.30.10.

        1. Not really sure why pfsense is sending traffic out that interface when the only GW on the Firewall is the WAN all other interfaces do not have a GW.
        2. When I apply the rule below I am still able to ping the host.
          on the interface associated with vlan 20 I have block source 10.21.20.0/24 any 10.21.30.0/24
        1. You don't need a route for a directly connected interface.
        2. Is the rule specifying protocol icmp or any? Is the rule at the top of the list on the Interface? Did you clear states before testing the ping again?
        1 Reply Last reply Reply Quote 0
        • M
          mrjoli021
          last edited by

          I did not realize I had to stop the ping and start it again. I thought that once I applied the rule it would automatically kill all sessions. Once I stopped the ping and started it again the rule worked. Is there a way to kill all sessions that the rule applies to?

          Thanks

          1 Reply Last reply Reply Quote 0
          • dotdashD
            dotdash
            last edited by

            It doesn't do it automatically. You can go to diagnostics, states and clear them there.

            1 Reply Last reply Reply Quote 0
            • M
              mrjoli021
              last edited by

              Thanks,

              It was driving me crazy.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.