Ingress Filtering question

Bambos

@johnpoz said in Ingress Filtering question:

blocking lan11 as source on your lan6 interface is pointless - there would never be source traffic inbound to lan6 interface from the lan11 network.

why is that ?? if the traffic originated from LAN11, the LAN11 will be as a source of the packet when arrives to LAN6 interface for evaluation. I'm i missing something ?
(This is the point i'm trying to clarify).

Assuming that this is the philosophy principal of pfsense:
then we agree. i have replicate your test on my LAN's.
so it's true that the evaluation of LAN firewall rules, happens on the outbound of the interface , as opposite happening on the WAN, when happening on the inbound. At least that is what i understand.

please comment / clarify. (there is nothing in floating)

johnpoz

@Bambos All traffic entering vlan 6 would have a source IP of vlan6... How would vlan 11 ever be source IP into vlan 6 interface??

Lets say vlan 6 network is 192.168.6/24, and vlan11 is 192.168.11/24

If you have a client on vlan6 at 192.168.6.100, and it wants to talk to device on vlan11 lets say 192.168.11.200

How in the hell would the traffic this 6.100 box sends to pfsense to its vlan6 interface have a source IP of 192.168.11 something? Its source IP would be 192.168.6.100

In no scenario would there ever be a vlan 11 source IP as inbound traffic into vlan6 interface..

johnpoz

@Bambos said in Ingress Filtering question:

happens on the outbound of the interface

NO.. How is a rule on vlan6 seeing traffic into it from 192.168.6.x going to 192.168.11.y outbound???

Think of a doorman standing infront of your front door, and someone wants to enter the house (pfsense).. If he checks his list before he lets you enter the house - how is that outbound???

Do you stop the guy with his muddy shoes from entering the house after he has already entered (pfsense) or do you stop him before he even touches the frontdoor and say hey wait your not on the allow list - take your muddy shoes and go away.. Or does the doorman sit inside the house, and let the guy just step into the house with his muddy shoes before he says hey wait a minute your not allowed.

Put yourself inside pfsense - looking at your interface - windows in your house.. Is the traffic entering the interface from the outside into pfsense, or is leaving pfsense into the network attached to the interface.

The only place you can do outbound filtering is the floating tab.

Bambos

@johnpoz hello my friend. I'm doing an effort to get on the same page with you.

i guess i have different understanding with the terminology maybe.
for WAN is clear, inbound is incoming and outbound is outgoing.

outbound : in relation to what ? to the network interface of the originated network, or in relation to the whole firewall ?

do you mean that this is not the case for LAN's ? Traffic originated from LAN6, going to LAN11, how would you describe this with this terminology ?
(i would see that as outbound from LAN6 / inbound to LAN11)

johnpoz

@Bambos again pretend pfsense your house - and your standing in the middle.. Is the traffic coming into your house (inbound) window or door.. Or is it leaving your house, again window or door - if its leaving pfsense its outbound, if its entering pfsense (your house) you are inside the house - then its inbound.

This is no different than your wan interface that you clearly understand - why would you think any of your other interfaces would be any different.

Traffic leaving a pc on your lan6 would be inbound to lan 6 interface.. and outbound of your lan11 interface - to whatever device is on the lan11 network.. Your setting rules on pfsense (your inside) pfsense.. If you do not want lan6 device to talk to lan11 device where do you set the rule - inbound on lan6..

So this traffic doesn't track mud all over your house!

if for some reason you have your heart set on blocking it from leaving lan11 into the lan11 network then this rule would have to be set int he floating tab as outbound on interface 11..

But there rarely any reason to do that.. Just top this traffic at interface of lan6 from even entering pfsense.

Bambos

@johnpoz i found that post as well from 2022. Something similar was going on :)

https://forum.netgate.com/topic/173715/firewall-rules-interface

I think i see what you mean, please confirm the below diagram (assuming no floating rules used).

patient0

@Bambos exactly what you got in that image, router inbound == router ingress. And excluding floating rules, the direction is always ingress in a firewall rule in pfSense.

The pfSense doc explains it, too:
https://docs.netgate.com/pfsense/en/latest/firewall/fundamentals.html#stateful-filtering

Bambos

@patient0 thanks for your comment.

As new to pfSense, the web Gui interface menu for firewall rules per interface, in relation to my false thinking / believe that we "defend" each network interface for the "inbound traffic" in relation to the interface, (that's why we put there the firewall rules), lead me to this false understanding.

The next version of this diagram would be to have also the NAT actions on the lines outbound traffic in relation to the firewall. (and maybe change some positioning.

i'm waiting for John to see this :) he is really doing the effort for everyone.

johnpoz

@Bambos said in Ingress Filtering question:

t we "defend" each network interface for the "inbound traffic" in relation to the interface, (that's why we put there the firewall rules), lead me to this false understanding.

How is that - that is exactly what your doing.. INBOUND into the interface..

How did that lead you to false understanding?

Your diagram is correct.

Be it a bit busy - not sure why you need lan egress labeled.. Yeah if you have some PC on your lan, and its putting traffic on the lan - that is egress from that PC.

Bambos

@johnpoz said in Ingress Filtering question:

How did that lead you to false understanding?

i mean like i'm in LAN, looking to the incoming traffic and apply the firewall rules to limit the traffic. So according to this diagram, i was thinking that for LAN interfaces i was applying rules for the outbound of firewall / interface / LAN ingress traffic, so we can limit traffic going to that network (to protect that network) because we are on the firewall rules of it's interface.

Instead of that, as what i'm learning now, i have to put the firewall rules to the outgoing traffic of the other interface (because this is where is the filtering happening).

Also after reading through your comments, on this post and also others, assuming the pf filtering happening before the packet entering the interface, and NAT happening before the packet leave the interface, it seems that the NAT positioning for LAN is the correct, instead of the Guest. Last we have 3 different designs for interface attachment to the routing plane. which one you feel is more close to reality ?