Traffic between OPT1 net and other networks e.g. LAN net
-
@jogovogo said in Traffic between OPT1 net and other networks e.g. LAN net:
But what I noticed now is that the rule somehow slips down by itself...
Ah, that would explain it. The rules are first-match so that rule won't run because the third rule matches first.
Moving it above the "OPT1 subnets * *" will make work. -
-
@jogovogo said in Traffic between OPT1 net and other networks e.g. LAN net:
But what I noticed now is that the rule somehow slips down by itself...
You need to read and understand the setting at:
Firewall / pfBlockerNG / IP / 'IP Interface/Rules Configuration' / Firewall 'Auto' Rule Order. -
Okay, but that doesn't postpone the rule I created by itself, does it?
-
@jogovogo The setting affects the ordering of all rules in the ruleset.
-
I have now switched to floating so that he leaves me my rules alone. (and kill states, one time)
-
@jogovogo I personally only use floating rules as a matter of absolute last resort. I've therefore found pfBlockerNG's default ordering format to be the setting that works best for my use case.
-
Okay, I understand, how would you approach my case without floating?
-
@jogovogo From what you've shared, it appears the default ordering format (i.e., "
| pfB_Pass/Match/Block/Reject | All other rules | (Default format)") works perfectly for you—as long as you keep the "Refuse OPT1 access to other subnetworks." deny rule above the "Default allow to any rule" pass rule of course...And unless you expect any non-"OPT1 subnets" DNS traffic to arrive on OPT1, the "Pass DNS to the Firewall" pass rule is unnecessary.EDIT: The "Pass DNS to the Firewall" pass rule may be necessary if the "OPT1 address" IP is contained within the "LAN subnets" alias. (And in such as a case, it would need to remain above the "Refuse OPT1 access to other subnetworks." deny rule.)SECOND EDIT: I maintain that unless you expect any non-"OPT1 subnets" DNS traffic to arrive on OPT1, the "Pass DNS to the Firewall" pass rule is unnecessary.
-
@jogovogo what I forgot: what pfSense version are you using? There was an issue with changing rule orders in certain situations on pfSense+ 23 and 24.
https://forum.netgate.com/topic/196601/rules-order-randomly-changes
https://redmine.pfsense.org/issues/16076
