Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfBlockerNG granular inbound and outbound rules

    Scheduled Pinned Locked Moved pfBlockerNG
    3 Posts 3 Posters 137 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      durwinius
      last edited by

      I am running PFSence as a multi-tenant solution with each tenant having their own isolated VLAN.

      Each tenant is assigned a public IP address for inbound rules going to their app server.

      I am trying to figure out how to set up separate rules for each client for inbound and outbound via GEO-IP.

      pfBlockerNG rule set is global and not per rule /network. I want to set up each client that requires different GEO-IP locations. For exchange US inbound only, Canada inbounds only same for outbound.

      The advanced inbound lets you make aliases but are limited to adding rules only for that destination.

      example inbound rules I am trying to do.

      1. inbound rule from UK only to tenant 1
      2. inbound rule from US only to tenant 2
      3. inbound rule from CA only to tenant 3
      keyserK 1 Reply Last reply Reply Quote 0
      • keyserK
        keyser Rebel Alliance @durwinius
        last edited by keyser

        @durwinius You need to disable pfBlocker automatic rules, and instead ask it to create Alias allow/deny lists. Once Force update has been run, Those ALIASES will be visible in ALIASES on your Firewall, and you can create the needed rules on each interface at your own leisure and priority.

        Love the no fuss of using the official appliances :-)

        S 1 Reply Last reply Reply Quote 0
        • S
          SteveITS Galactic Empire @keyser
          last edited by

          One note for the difference between Alias Deny and Alias Native is that, IIRC, if deduplication is enabled, pfB will dedupe across lists, which may give unexpected results if one has overlaps.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.