Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Difference between Source = Any vs Source = Specific Vlan

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 431 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wintok
      last edited by wintok

      Hello everyone
      I have this question that's been bothering me for a while now. I have several vlans created on my XG-7100 pfsense box. New vlans created do not have their rules auto created for them, unlike the default vlan. Whenever I create a rule for my new vlan lets say vlan 20 which is a Sales vlan for instance, that will allow Internet access (this is a wide open rule which allows intervlan routings too) , I have two options in the source to choose from. You either can set Source to Sales Net
      source_SalesNnet.PNG
      or you can set Source to Any
      source_any.PNG

      I always prefer to set source to a specific vlan. So the question is which option is the most recommended one. I see lot of people go with the second option why ?

      V johnpozJ 2 Replies Last reply Reply Quote 0
      • V
        viragomann @wintok
        last edited by

        @wintok
        A good advice is to state only the respective subnet as source in pass rules, but any in block rules.
        So you limit the allowed traffic to exactly what you want and block any other, without the need to care, what exactly.

        W 1 Reply Last reply Reply Quote 1
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @wintok
          last edited by

          @wintok I always use the specific vlan of the interface as source, any would be viable for a transit network your setting up and you might be adding future downstream networks that are routed through the transit.

          But rules should always be as specific as possible.. I wouldn't use any on a vlan that should only ever see traffic from the specific vlan.. The only time you should ever see traffic from anything else would be if your using this interface as a transit network.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          W 1 Reply Last reply Reply Quote 1
          • W
            wintok @johnpoz
            last edited by

            @johnpoz Appreciate your prompt reply and thank you very much

            1 Reply Last reply Reply Quote 0
            • W
              wintok @viragomann
              last edited by

              @viragomann Appreciate your prompt reply and thank you very much

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.