Bundle multiple LAN IP addresses in to group

mlooijer

Hi all,

Nice forum, great firewall :p (for starters)

I'm kinda new to this forum, but my search ended in a non-result (probably my fault :P )

What i'm trying to accomplish is the following:

I like to set up a firewall rule in pfsense, that only applies to certain hosts on my network, and not a subnet-range, because i do not want the rule applied to the host also bundled by a subnet.

for example:

Rule needed:
allow tcp source (any) to destination (specific hosts) eq http

This rule needs to be applied for the hosts:

192.168.1.11, 192.168.1.14 and 192.168.1.18

and I dont want the rule applied to these hosts

192.168.1.12
192.168.1.13
192.168.1.15
192.168.1.16
192.168.1.17

Yes I know that i can just create 3 rules, but I was wondering if i can add multiple host-addreses to the same single rule, to keep the rule-base clean and simple.

I cannot find the functionallity in the user-interface, and was wandering if i could script this to the firewall, and if yes can anyone tell me how to? :P

Any help would be much appreciated…

Greetz

Mike

dreamslacker

Go to Firewall -> Aliases -> Add a new Alias

For Alias type, choose Host Alias.

Set a name for this Alias, in this example, I've chosen 'AllowHttpClients' as an Alias name.

Save the alias.

Under your firewall rule, instead of entering a range of IPs, you can then use the alias name instead. Like so:

mlooijer

ty dreamslacker :P This helps a lot

Can i also use this alias-feature with an IPVPN? cause i can't choose it from the pulldown menu…
Or can this be done via a script?

greetz

M

GruensFroeschli

What is an IPVPN?
Do you mean IP address reachable or receiving via/from a VPN?
These are still just normal IP addresses and can be used with a normal "hosts" or "networks" alias.

mlooijer

Sorry, my fault, should be more specific :P
I mean ipsec tunnel

As you can see in the pic i send, i cannot specify an alias there, can that be done otherwise?
using an alias as the value of the localsubnet-field?

ty ^^

ipsectunnel.jpg_thumb

jimp

No, that can't be used with IPsec.

On 2.0 you could add multiple phase 2 entries, one for each IP, but it's probably better to just use the whole subnet and control access to the tunnel by using firewall rules (e.g. on the LAN tab, pass from <vpn ips="">to <remote vpn="" subnet="">, followed by block from * to <remote vpn="" subnet="">)</remote></remote></vpn>

mlooijer

I was affraid for getting that answer, but ty anyway :P

At least it stops me spending time in researching how to accomplish it

^^

Regards

M