Interface and Rules

greatbush · May 28, 2025, 6:21 PM

Good day,

I have a question. Lets assume i have 3 different interfaces; servers, clients and storage. I like to add a rule that lets traffic from the server network to the client network.

Pfsense -> Rules -> Server -> Add Rule

The Server interface is selected in the scenario above. My question is what happens if i change the interface from server to storage.

How does pfsense interpret this rule.

Thank you

viragomann · May 28, 2025, 6:43 PM

@greatbush said in Interface and Rules:

My question is what happens if i change the interface from server to storage.

Most probably nothing.
The rule might not match any traffic on the storage interface, since it only filters for sources = SERVERS net.

greatbush · May 28, 2025, 9:22 PM

@viragomann So if the rule matched a traffic on the storage interface, will it let traffic through?

The Party of Hell No · May 28, 2025, 9:33 PM

@greatbush Yes, exactly.

tinfoilmatt · May 28, 2025, 10:13 PM

@greatbush said in Interface and Rules:

So if the rule matched a traffic on the storage interface, will it let traffic through?

Your screenshot shows a rule defined on the interface "SERVERS". Traffic on the "STORAGE" interface will never match any rules defined on the "SERVERS" interface.

stephenw10 · May 29, 2025, 1:29 AM

If you edit the rule and change the interface that moves the rule to the new interface.

Thus the rule will no longer be present on SERVERS so traffic from there to CLIENTS will no longer be passed.

As mentioned that rule on STORAGE will not pass anything because traffic can never be from SERVERS net there.

greatbush · May 29, 2025, 1:29 AM

@stephenw10 Thank you
I am still trying to wrap my ahead around something. Same three networks(storage, client, server).

I want devices on the storage network to reach and get responses from devices on the server network. Do i create 2 rules or 1.

storage interface rule: source = [single host or alias of devices on the storage network]
destination = server network

server interface rule: source = [single host or alias of devices on storage network]
destination = [server network, devices on server]

I feel like i am overthinking this problem.

The Party of Hell No · May 29, 2025, 1:37 AM

@greatbush I believe you take your rule above and duplicate it on each of the interfaces to direct it to the other (2) interfaces.

You would have to create two rules on each interface if you want that interface to talk to the other two interfaces.

greatbush · May 29, 2025, 2:11 AM

@The-Party-of-Hell-No Sorry for being optuse but is this what you mean;

SteveITS · May 29, 2025, 2:52 AM

@greatbush said in Interface and Rules:

I want devices on the storage network to reach and get responses from devices on the server network. Do i create 2 rules or 1.

Rules apply as packets enter the firewall. Responses are always allowed. So, one rule for one direction.

https://docs.netgate.com/pfsense/en/latest/firewall/fundamentals.html#stateful-filtering

greatbush · May 29, 2025, 2:56 AM

@SteveITS said in Interface and Rules:

https://docs.netgate.com/pfsense/en/latest/firewall/fundamentals.html#stateful-filtering

"Using this mechanism, traffic need only be permitted on the interface where it enters the firewall. When a connection matches a pass rule the firewall creates an entry in the state table. Reply traffic to connections is automatically allowed back through the firewall by matching it against the state table rather than having to check it against rules in both directions. This includes any related traffic using a different protocol, such as ICMP control messages that may be provided in response to a TCP, UDP, or other connection."

You are right. Thanks a lot!