Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Have I misunderstood 'Invert match'?

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 1.4k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      PFS4teepee
      last edited by

      Hello,
      I have a rule that I thought would prevent traffic entering my LAN but, it doesn't. Have I misunderstood the 'Invert match' option?

      I have three interfaces: WAN, LAN, WIFI
      I've configured a rule: Action = Pass, Interface = WIFI, Address family IPV4 & 6, Protocol = Any, Source = WIFI, Destination - Invert match LAN

      I thought this rule would allow traffic to flow from the WIFI through WAN interface but would block traffic from the LAN. I have a number of wifi cameras on the WIFI side and can see them (using various surveillance software) just fine from the LAN. My original assumption was that with the Invert match rule active I'd need to create specific pass rules but this doesn't seem to be the case.

      I'm clearly missing something but not sure what. I'd be grateful for some guidance.

      Thanks a lot

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB Offline
        bmeeks @PFS4teepee
        last edited by bmeeks

        @pfs4teepee said in Have I misunderstood 'Invert match'?:

        Hello,
        I have a rule that I thought would prevent traffic entering my LAN but, it doesn't. Have I misunderstood the 'Invert match' option?

        I have three interfaces: WAN, LAN, WIFI
        I've configured a rule: Action = Pass, Interface = WIFI, Address family IPV4 & 6, Protocol = Any, Source = WIFI, Destination - Invert match LAN

        I thought this rule would allow traffic to flow from the WIFI through WAN interface but would block traffic from the LAN. I have a number of wifi cameras on the WIFI side and can see them (using various surveillance software) just fine from the LAN. My original assumption was that with the Invert match rule active I'd need to create specific pass rules but this doesn't seem to be the case.

        I'm clearly missing something but not sure what. I'd be grateful for some guidance.

        Thanks a lot

        I think you are suffereing from a common misconception about firewall rules in pfSense. Regular rules apply to traffic "entering" on an interface from the NIC side, not entering or leaving from the kernel network stack side. So if you don't want your LAN seeing things on WiFi, then on the LAN interface you must put a block rule. And when we say "entering" an interface, we mean from the NIC at the switch port side. So think of that as traffic coming from the WiFi switch port into the WiFi interface on pfSense. Same thing for your LAN side.

        And just a friendly reminder. Invert match rules can be extremely confusing and it is best to avoid them whenever possible. And it is usually possible ... 🙂. Use PASS or BLOCK rules instead. So it sounds like in your case you need a BLOCK rule on the LAN interface thats says SOURCE = LAN, DEST = WiFi, then [Block]

        P 1 Reply Last reply Reply Quote 1
        • P Offline
          PFS4teepee @bmeeks
          last edited by PFS4teepee

          @bmeeks, thanks a lot. That makes sense.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.