Destination/source firewall rules for LAN interfaces



  • I have set up a new router (appliance) with PFSense 1.23.

    I have broadband cable (coaxial) coming from the ISP to a cable modem.

    I receive an IP address from the ISP dynamically

    interface 0 WAN          DHCP to/from ISP

    interface 1 LAN          192.168.1.1

    interface 2 LANdownstairs 192.168.2.1

    interface 3 LANtomato    192.168.3.1 (wireless)

    I have enabled DHCP server on all 3 interfaces.

    I have enabled the default firewall configuration for the 3 LAN interfaces AND then configured the protocol to "ANY". The source/destination boxes are not checked and say "ANY".

    Everything works perfectly (so far) but something is bugging me.

    Do I need to configure the interface firewall rules to ensure that traffic from the outside world (WAN) goes to each specific interface? i don't think so but I seem to remember that you need to apply some destination or source rule to the LAN interfaces when you have more than one.

    Or maybe not, maybe things are fine.

    My skill level at this sort of thing is medium.



  • Not sure what you are asking.  If you mean unsolicited inbound traffic, that will never occur unless you have port forwards or somesuch.  If you mean return traffic for outbound connections you make, that happens automatically.  When you (say) connect to a website from, say, LAN #2, a state table entry will be set up showing the internal IP/port, so pfsense will know where to route the return traffic automatically.



  • Thanks for the reply.

    I had a hard time defining my question but you answered it.

    I came up with the question because I had read somewhere that when you add one extra LAN (OPT1) you need to check destination "not LAN subnet" for incoming traffic. The person who wrote that article may have been mistaken. I think they were under the impression that packets might accidentally flow into the other subnets.

    I suspected that PfSense routed traffic appropriately to the right internal IP/port but wanted to be prepared for a routing problem in case the network went down.

    Now i can sleep properly.  :P


Log in to reply