Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't get LAN firewall rules to get working

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 433 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z Offline
      zachg96
      last edited by

      Hello all,

      I'm new to pfsense, also a beginner when it comes to Network. I've setup a simple pfSense firewall, Two WAN's and one LAN. Rules on my LAN don't work as intended. For instance I've created a rule to block ICMP on any source/destination on LAN. But still I'm able to ping from one LAN host to another where as ping to google or external sites doesn't work. How do I make rules to work inside LAN hosts i.e block 3389 from one LAN Source to Another LAN Destination? I've even tried clearing the states after rules. Please enlighten me,

      Here's my setup:
      My Two ISP Modem --> PfSense --> Switches --> LAN Hosts

      1 Reply Last reply Reply Quote 0
      • RicoR Offline
        Rico LAYER 8 Rebel Alliance
        last edited by Rico

        You can't block traffic inside your local Layer 2 subnet with pfSense or any other Layer 3 Firewall.
        Say your pfSense is 192.168.1.1/24, Client A 192.168.1.11/24 and Client B 192.168.1.12/24
        If Client A is talking to Client B traffic flows directly between those Clients, traffic will never hit pfSense.
        To isolate Clients you need to create more networks, like a DMZ with its own subnet, e.g. 192.168.2.0/24
        Now if Client A 192.168.1.11/24 talks to Client B 192.168.2.11/24 traffic flows through pfSense and you have full control with Firewall Rules and so on.

        -Rico

        1 Reply Last reply Reply Quote 0
        • Z Offline
          zachg96
          last edited by

          Ohh makes sense now. Thank you, let me try allocating a different network and check. And there's no way to restrict traffic as a whole for a subnet? Say like block ICMP for all the hosts of a subnet?

          A 1 Reply Last reply Reply Quote 0
          • A Offline
            akuma1x @zachg96
            last edited by akuma1x

            @zachg96 You can restrict traffic from hosts on a subnet from going anywhere else, with appropriate firewall rules on that particular subnet. What you can't do, as has been discussed, is to block traffic between hosts on the SAME subnet. They will be as chatty as you (or even the manufacturers) set them up to be.

            The rule you're looking for in your post above would look like this:

            Action: Block or Reject
            Interface: the subnet you want it to run on
            Address Family: IPv4 and/or IPv6
            Protocol: ICMP
            Source: same as "interface" above
            Destination: any

            Save and done. Move this new rule to the very top of the list. Make sure you've got an allow any to any rule at the very bottom of your list, so hosts on this subnet can at least get to the internet, if needed. Hope that helps.

            Jeff

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.