Block single IP from WAN not working, subnets in Firewall rules not working


  • Using 2.0-ALPHA-ALPHA built on Fri Aug 21. Very simple setup (single WAN, single LAN) and only a few firewall rules.  My LAN rules look like this:

    First rule: (block) | protocol: any | source: 192.168.0.2 | port: any | destination: wan net | port: any | gateway: any | no schedule

    Second rule: (default allow LAN to any rule).

    So the block rule should stop 192.168.0.2 from getting out. But it doesn't work. 192.168.0.2 still has internet access! I tried playing around and the only way I got it to block access to the WAN was to switch destination: wan net to destination: any.  This successfully stops 192.168.0.2 from getting to the internet, but is broader than what I want (I still want it to access other clients on the LAN).

    I think this is a problem with pfSense not using correctly the *net (WAN net, LAN net, PPTP clients, etc.) definitions in the Source and Destination entries of Firewall Rules.  I think this because I had a similar problem:  When I set up the PPTP server, I added a rule to allow PPTP clients access to the LAN. At first, my rule looked like this:

    (allow) | Interface: PPTP VPN | protocol: any | source: PPTP clients | Destination: any

    and PPTP clients could NOT access the LAN (they could log into the VPN but could not browse, etc.).  When I changed the rule to this:

    (allow) | Interface: PPTP VPN | protocol: any | source: any | Destination: any

    PPTP clients could access the LAN. Shouldn't PPTP clients have been able to access the LAN under either rule?

    Therefore… is pfSense not using the drop-down definitions used in the Firewall rules "WAN subnet", "LAN subnet", and "PPTP clients" properly? Or am I missing something / doing something wrong?

    Thanks!


  • @dnarz:

    Using 2.0-ALPHA-ALPHA built on Fri Aug 21. Very simple setup (single WAN, single LAN) and only a few firewall rules.  My LAN rules look like this:

    First rule: (block) | protocol: any | source: 192.168.0.2 | port: any | destination: wan net | port: any | gateway: any | no schedule

    Second rule: (default allow LAN to any rule).

    So the block rule should stop 192.168.0.2 from getting out. But it doesn't work. 192.168.0.2 still has internet access!

    As it should. You blocked it from getting to the WAN's IP subnet (i.e. a small chunk of your ISP). The Internet would be any.

    @dnarz:

    I tried playing around and the only way I got it to block access to the WAN was to switch destination: wan net to destination: any.  This successfully stops 192.168.0.2 from getting to the internet, but is broader than what I want (I still want it to access other clients on the LAN).

    The firewall has nothing to do with traffic between LAN hosts.