Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Subnet Firewall Rule Issue

    Scheduled Pinned Locked Moved General pfSense Questions
    10 Posts 3 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bigtimmyc
      last edited by

      Hi all,

      Im having an issue where devices cannot communicate to each other across Subnets when certain Firewall Rules are applied.

      I have no issues when I have the default Any Any rules enabled and at the top of the priority lists for all my LAN interfaces and their subnets.

      However my new rules, which are identical to the default Any Any rules, with the exception of an advance rule that specifies a WAN Gateway device (a Load Balance gateway group), will not allow device to communicate between subnets anymore.

      Enabling/disabling these rules in any combination doesnt seem to fix the issue.

      I dont want to use the default Any Any rules as it will use the single default WAN Gateway device.

      Screenshot is of the new rule

      DeepinScreenshot_select-area_20220428120021.png

      DeepinScreenshot_select-area_20220428120108.png

      NollipfSenseN 1 Reply Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense @bigtimmyc
        last edited by

        @bigtimmyc Pass any from LAN Net...

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        B 1 Reply Last reply Reply Quote 0
        • B
          bigtimmyc @NollipfSense
          last edited by

          @nollipfsense What difference would this make compared to any?

          NollipfSenseN 1 Reply Last reply Reply Quote 0
          • NollipfSenseN
            NollipfSense @bigtimmyc
            last edited by

            @bigtimmyc Any means just that whereas LAN Net means just from LAN Net, nothing else.

            pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
            pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

            B 1 Reply Last reply Reply Quote 0
            • B
              bigtimmyc @NollipfSense
              last edited by

              @nollipfsense So I found I can set my default gateways to be the loadbalancing gateway groups I created but I dont think the default LAN "any any" rules are respecting the defaults as its only using one connection during speedtests etc.

              NollipfSenseN 1 Reply Last reply Reply Quote 0
              • NollipfSenseN
                NollipfSense @bigtimmyc
                last edited by

                @bigtimmyc Please read here: https://docs.netgate.com/pfsense/en/latest/firewall/configure.html

                pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                B 2 Replies Last reply Reply Quote 0
                • B
                  bigtimmyc @NollipfSense
                  last edited by

                  @nollipfsense I cant see anything in this article that helps unfortunately. This honestly looks like Im experiencing a bug?

                  1 Reply Last reply Reply Quote 0
                  • B
                    bigtimmyc @NollipfSense
                    last edited by

                    @nollipfsense It doesnt make sense with rules that are identical that one randomly refuses subnet traffic but then the other one ignores the default gateway and does excepts all subnet traffic

                    B 1 Reply Last reply Reply Quote 0
                    • B
                      bigtimmyc @bigtimmyc
                      last edited by

                      @bigtimmyc I have finally figured this out. I will attempt to make a guide as a separate post as I have found there isnt a straight forward guide to get this working.

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        When you add policy routing by setting a gatewau (or gateway group) on the rules you force all traffic to use that route.
                        But here you want traffic between local subnets to use the system routing not go out the WAN.
                        So you need to add a rule above the policy routing rule to pass local traffic only.

                        Create an alias Local_Subnets and put in it all your locally connected subnets.

                        Then add a rule at the top of the list to pass from LANnet to Local_Subnets without a gateway set.

                        See: https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#bypassing-policy-routing

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.