Subnet Firewall Rule Issue
-
Hi all,
Im having an issue where devices cannot communicate to each other across Subnets when certain Firewall Rules are applied.
I have no issues when I have the default Any Any rules enabled and at the top of the priority lists for all my LAN interfaces and their subnets.
However my new rules, which are identical to the default Any Any rules, with the exception of an advance rule that specifies a WAN Gateway device (a Load Balance gateway group), will not allow device to communicate between subnets anymore.
Enabling/disabling these rules in any combination doesnt seem to fix the issue.
I dont want to use the default Any Any rules as it will use the single default WAN Gateway device.
Screenshot is of the new rule
-
@bigtimmyc Pass any from LAN Net...
-
@nollipfsense What difference would this make compared to any?
-
@bigtimmyc Any means just that whereas LAN Net means just from LAN Net, nothing else.
-
@nollipfsense So I found I can set my default gateways to be the loadbalancing gateway groups I created but I dont think the default LAN "any any" rules are respecting the defaults as its only using one connection during speedtests etc.
-
@bigtimmyc Please read here: https://docs.netgate.com/pfsense/en/latest/firewall/configure.html
-
@nollipfsense I cant see anything in this article that helps unfortunately. This honestly looks like Im experiencing a bug?
-
@nollipfsense It doesnt make sense with rules that are identical that one randomly refuses subnet traffic but then the other one ignores the default gateway and does excepts all subnet traffic
-
@bigtimmyc I have finally figured this out. I will attempt to make a guide as a separate post as I have found there isnt a straight forward guide to get this working.
-
When you add policy routing by setting a gatewau (or gateway group) on the rules you force all traffic to use that route.
But here you want traffic between local subnets to use the system routing not go out the WAN.
So you need to add a rule above the policy routing rule to pass local traffic only.Create an alias Local_Subnets and put in it all your locally connected subnets.
Then add a rule at the top of the list to pass from LANnet to Local_Subnets without a gateway set.
See: https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#bypassing-policy-routing
Steve