Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    When would traffic for an interface be coming from something other than the interface net source?

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 2 Posters 850 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I Offline
      imthenachoman
      last edited by

      When creating a FW rule for an interface, I can understand matching by a single host/alias but the other options don't make sense to me.

      When/how would traffic on LAN not be coming from LAN net? Like, why are all the other options in the drop-down even an option?

      3a0ed609-6c3e-43aa-89e4-68c3d208106e-image.png

      1 Reply Last reply Reply Quote 0
      • N Offline
        netblues
        last edited by

        It also works as destination target.
        Say you want something from a dmz to be able to reach all hosts on another interface.
        It would be host to lan net rule.

        These are just aliases, used for ease of use.

        I 1 Reply Last reply Reply Quote 0
        • I Offline
          imthenachoman @netblues
          last edited by

          @netblues

          Say you want something from a dmz to be able to reach all hosts on another interface.

          But then the traffic would be coming from said interface, no?

          N 1 Reply Last reply Reply Quote 0
          • N Offline
            netblues @imthenachoman
            last edited by

            @imthenachoman obviously, yes

            I 1 Reply Last reply Reply Quote 0
            • I Offline
              imthenachoman @netblues
              last edited by

              @netblues So if you want something from a DMZ interface to be able to reach another interface, the interface would be DMZ, the implied source would be DMZ net, and the destination would be whatever you want.

              Why would you need to set a source?

              I guess I am trying to find a situation/use-case where you would NOT set source to any.

              N 1 Reply Last reply Reply Quote 1
              • N Offline
                netblues @imthenachoman
                last edited by

                @imthenachoman what If you need a single host from the dmz and not the whole net
                And in a more general case
                What if you wanted a specific host on the Internets that you trust to have access to a resource behind pf.

                Nowdays, with nat and vpn this isn't very common, but there are use cases.

                I 1 Reply Last reply Reply Quote 0
                • I Offline
                  imthenachoman @netblues
                  last edited by

                  @netblues I see. That makes sense. Thank you!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.