Bundle multiple LAN IP addresses in to group

  • Hi all,

    Nice forum, great firewall :p (for starters)

    I'm kinda new to this forum, but my search ended in a non-result (probably my fault :P )

    What i'm trying to accomplish is the following:

    I like to set up a firewall rule in pfsense, that only applies to certain hosts on my network, and not a subnet-range, because i do not want the rule applied to the host also bundled by a subnet.

    for example:

    Rule needed:
    allow tcp source (any) to destination (specific hosts) eq http

    This rule needs to be applied for the hosts:, and

    and I dont want the rule applied to these hosts

    Yes I know that i can just create 3 rules, but I was wondering if i can add multiple host-addreses to the same single rule, to keep the rule-base clean and simple.

    I cannot find the functionallity in the user-interface, and was wandering if i could script this to the firewall, and if yes can anyone tell me how to? :P

    Any help would be much appreciated…



  • Go to Firewall -> Aliases -> Add a new Alias

    For Alias type, choose Host Alias.

    Set a name for this Alias, in this example, I've chosen 'AllowHttpClients' as an Alias name.

    Save the alias.

    Under your firewall rule, instead of entering a range of IPs, you can then use the alias name instead.  Like so:

  • ty dreamslacker :P This helps a lot

    Can i also use this alias-feature with an IPVPN? cause i can't choose it from the pulldown menu…
    Or can this be done via a script?



  • What is an IPVPN?
    Do you mean IP address reachable or receiving via/from a VPN?
    These are still just normal IP addresses and can be used with a normal "hosts" or "networks" alias.

  • Sorry, my fault, should be more specific :P
    I mean ipsec tunnel

    As you can see in the pic i send, i cannot specify an alias there, can that be done otherwise?
    using an alias as the value of the localsubnet-field?

    ty ^^

  • Rebel Alliance Developer Netgate

    No, that can't be used with IPsec.

    On 2.0 you could add multiple phase 2 entries, one for each IP, but it's probably better to just use the whole subnet and control access to the tunnel by using firewall rules (e.g. on the LAN tab, pass from <vpn ips="">to <remote vpn="" subnet="">, followed by block from * to <remote vpn="" subnet="">)</remote></remote></vpn>

  • I was affraid for getting that answer, but ty anyway :P

    At least it stops me spending time in researching how to accomplish it




Log in to reply