Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block single IP from WAN not working, subnets in Firewall rules not working

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    2 Posts 2 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dnarz
      last edited by

      Using 2.0-ALPHA-ALPHA built on Fri Aug 21. Very simple setup (single WAN, single LAN) and only a few firewall rules.  My LAN rules look like this:

      First rule: (block) | protocol: any | source: 192.168.0.2 | port: any | destination: wan net | port: any | gateway: any | no schedule

      Second rule: (default allow LAN to any rule).

      So the block rule should stop 192.168.0.2 from getting out. But it doesn't work. 192.168.0.2 still has internet access! I tried playing around and the only way I got it to block access to the WAN was to switch destination: wan net to destination: any.  This successfully stops 192.168.0.2 from getting to the internet, but is broader than what I want (I still want it to access other clients on the LAN).

      I think this is a problem with pfSense not using correctly the *net (WAN net, LAN net, PPTP clients, etc.) definitions in the Source and Destination entries of Firewall Rules.  I think this because I had a similar problem:  When I set up the PPTP server, I added a rule to allow PPTP clients access to the LAN. At first, my rule looked like this:

      (allow) | Interface: PPTP VPN | protocol: any | source: PPTP clients | Destination: any

      and PPTP clients could NOT access the LAN (they could log into the VPN but could not browse, etc.).  When I changed the rule to this:

      (allow) | Interface: PPTP VPN | protocol: any | source: any | Destination: any

      PPTP clients could access the LAN. Shouldn't PPTP clients have been able to access the LAN under either rule?

      Therefore… is pfSense not using the drop-down definitions used in the Firewall rules "WAN subnet", "LAN subnet", and "PPTP clients" properly? Or am I missing something / doing something wrong?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        @dnarz:

        Using 2.0-ALPHA-ALPHA built on Fri Aug 21. Very simple setup (single WAN, single LAN) and only a few firewall rules.  My LAN rules look like this:

        First rule: (block) | protocol: any | source: 192.168.0.2 | port: any | destination: wan net | port: any | gateway: any | no schedule

        Second rule: (default allow LAN to any rule).

        So the block rule should stop 192.168.0.2 from getting out. But it doesn't work. 192.168.0.2 still has internet access!

        As it should. You blocked it from getting to the WAN's IP subnet (i.e. a small chunk of your ISP). The Internet would be any.

        @dnarz:

        I tried playing around and the only way I got it to block access to the WAN was to switch destination: wan net to destination: any.  This successfully stops 192.168.0.2 from getting to the internet, but is broader than what I want (I still want it to access other clients on the LAN).

        The firewall has nothing to do with traffic between LAN hosts.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.