Can't get LAN firewall rules to get working


  • Hello all,

    I'm new to pfsense, also a beginner when it comes to Network. I've setup a simple pfSense firewall, Two WAN's and one LAN. Rules on my LAN don't work as intended. For instance I've created a rule to block ICMP on any source/destination on LAN. But still I'm able to ping from one LAN host to another where as ping to google or external sites doesn't work. How do I make rules to work inside LAN hosts i.e block 3389 from one LAN Source to Another LAN Destination? I've even tried clearing the states after rules. Please enlighten me,

    Here's my setup:
    My Two ISP Modem --> PfSense --> Switches --> LAN Hosts

  • LAYER 8 Rebel Alliance

    You can't block traffic inside your local Layer 2 subnet with pfSense or any other Layer 3 Firewall.
    Say your pfSense is 192.168.1.1/24, Client A 192.168.1.11/24 and Client B 192.168.1.12/24
    If Client A is talking to Client B traffic flows directly between those Clients, traffic will never hit pfSense.
    To isolate Clients you need to create more networks, like a DMZ with its own subnet, e.g. 192.168.2.0/24
    Now if Client A 192.168.1.11/24 talks to Client B 192.168.2.11/24 traffic flows through pfSense and you have full control with Firewall Rules and so on.

    -Rico


  • Ohh makes sense now. Thank you, let me try allocating a different network and check. And there's no way to restrict traffic as a whole for a subnet? Say like block ICMP for all the hosts of a subnet?


  • @zachg96 You can restrict traffic from hosts on a subnet from going anywhere else, with appropriate firewall rules on that particular subnet. What you can't do, as has been discussed, is to block traffic between hosts on the SAME subnet. They will be as chatty as you (or even the manufacturers) set them up to be.

    The rule you're looking for in your post above would look like this:

    Action: Block or Reject
    Interface: the subnet you want it to run on
    Address Family: IPv4 and/or IPv6
    Protocol: ICMP
    Source: same as "interface" above
    Destination: any

    Save and done. Move this new rule to the very top of the list. Make sure you've got an allow any to any rule at the very bottom of your list, so hosts on this subnet can at least get to the internet, if needed. Hope that helps.

    Jeff