• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Interface and Rules

Scheduled Pinned Locked Moved General pfSense Questions
11 Posts 6 Posters 640 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    greatbush
    last edited by May 28, 2025, 6:21 PM

    Good day,

    I have a question. Lets assume i have 3 different interfaces; servers, clients and storage. I like to add a rule that lets traffic from the server network to the client network.

    Pfsense -> Rules -> Server -> Add Rule
    7c38501f-07b4-4c00-b37f-346b08583704-image.png

    The Server interface is selected in the scenario above. My question is what happens if i change the interface from server to storage.

    How does pfsense interpret this rule.

    Thank you

    V 1 Reply Last reply May 28, 2025, 6:43 PM Reply Quote 0
    • V
      viragomann @greatbush
      last edited by May 28, 2025, 6:43 PM

      @greatbush said in Interface and Rules:

      My question is what happens if i change the interface from server to storage.

      Most probably nothing.
      The rule might not match any traffic on the storage interface, since it only filters for sources = SERVERS net.

      G 1 Reply Last reply May 28, 2025, 9:22 PM Reply Quote 0
      • G
        greatbush @viragomann
        last edited by May 28, 2025, 9:22 PM

        @viragomann So if the rule matched a traffic on the storage interface, will it let traffic through?

        T T 2 Replies Last reply May 28, 2025, 9:33 PM Reply Quote 0
        • T
          The Party of Hell No @greatbush
          last edited by May 28, 2025, 9:33 PM

          @greatbush Yes, exactly.

          1 Reply Last reply Reply Quote 0
          • T
            tinfoilmatt @greatbush
            last edited by May 28, 2025, 10:13 PM

            @greatbush said in Interface and Rules:

            So if the rule matched a traffic on the storage interface, will it let traffic through?

            Your screenshot shows a rule defined on the interface "SERVERS". Traffic on the "STORAGE" interface will never match any rules defined on the "SERVERS" interface.

            1 Reply Last reply Reply Quote 0
            • S
              stephenw10 Netgate Administrator
              last edited by May 28, 2025, 10:40 PM

              If you edit the rule and change the interface that moves the rule to the new interface.

              Thus the rule will no longer be present on SERVERS so traffic from there to CLIENTS will no longer be passed.

              As mentioned that rule on STORAGE will not pass anything because traffic can never be from SERVERS net there.

              G 1 Reply Last reply May 29, 2025, 1:29 AM Reply Quote 0
              • G
                greatbush @stephenw10
                last edited by May 29, 2025, 1:29 AM

                @stephenw10 Thank you
                I am still trying to wrap my ahead around something. Same three networks(storage, client, server).

                I want devices on the storage network to reach and get responses from devices on the server network. Do i create 2 rules or 1.

                storage interface rule: source = [single host or alias of devices on the storage network]
                destination = server network

                server interface rule: source = [single host or alias of devices on storage network]
                destination = [server network, devices on server]

                I feel like i am overthinking this problem.

                T S 2 Replies Last reply May 29, 2025, 1:36 AM Reply Quote 0
                • T
                  The Party of Hell No @greatbush
                  last edited by The Party of Hell No May 29, 2025, 1:37 AM May 29, 2025, 1:36 AM

                  @greatbush I believe you take your rule above and duplicate it on each of the interfaces to direct it to the other (2) interfaces.

                  You would have to create two rules on each interface if you want that interface to talk to the other two interfaces.

                  G 1 Reply Last reply May 29, 2025, 2:11 AM Reply Quote 0
                  • G
                    greatbush @The Party of Hell No
                    last edited by May 29, 2025, 2:11 AM

                    @The-Party-of-Hell-No Sorry for being optuse but is this what you mean;
                    53684c10-841a-4ea3-8903-acd1d53573fd-image.png

                    1 Reply Last reply Reply Quote 0
                    • S
                      SteveITS Galactic Empire @greatbush
                      last edited by May 29, 2025, 2:52 AM

                      @greatbush said in Interface and Rules:

                      I want devices on the storage network to reach and get responses from devices on the server network. Do i create 2 rules or 1.

                      Rules apply as packets enter the firewall. Responses are always allowed. So, one rule for one direction.

                      https://docs.netgate.com/pfsense/en/latest/firewall/fundamentals.html#stateful-filtering

                      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                      Upvote 👍 helpful posts!

                      G 1 Reply Last reply May 29, 2025, 2:56 AM Reply Quote 1
                      • G
                        greatbush @SteveITS
                        last edited by May 29, 2025, 2:56 AM

                        @SteveITS said in Interface and Rules:

                        https://docs.netgate.com/pfsense/en/latest/firewall/fundamentals.html#stateful-filtering

                        "Using this mechanism, traffic need only be permitted on the interface where it enters the firewall. When a connection matches a pass rule the firewall creates an entry in the state table. Reply traffic to connections is automatically allowed back through the firewall by matching it against the state table rather than having to check it against rules in both directions. This includes any related traffic using a different protocol, such as ICMP control messages that may be provided in response to a TCP, UDP, or other connection."

                        You are right. Thanks a lot!

                        1 Reply Last reply Reply Quote 1
                        11 out of 11
                        • First post
                          11/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received