Pfsense 2 rc2 allow ping opt1 to opt2

  • Good morning, have a server configured with pfSense 2.0 rc2
    It 4 network adapter
    1 - WAN (Internet)
    2 - LAN (Local Area Network)
    3 - OPT1 (Multimedialna_PBP)
    4 - OPT2 (wifi)

    Now are, that lan, opt1 and opt2 can every subnet ping . example


    Badanie z użyciem 32 bajtów danych:

    Odpowiedź z bajtów=32 czas<1 ms TTL=64

    Statystyka badania ping dla
        Pakiety: Wysłane = 1, Odebrane = 1, Utracone = 0 (0% straty),
    Szacunkowy czas błądzenia pakietów w millisekundach:
        Minimum = 0 ms, Maksimum = 0 ms, Czas średni = 0 ms

    I don't known, Why! I can ping from opt1 to opt2 and back.

    I think this rules not permit ping from op1 to opt2 and back

    Port opt1 and opt2 are not same lan and not enabled bridge

    Sorry for my english

  • Are you looking to block access of ping or allow?

  • I want every packets blocking  between subnet op1 and opt2. Subnets opt1 and opt2 permit acces internet only.

    it's strange because at pfsense 1.2.3 it's working

  • Netgate Administrator

    At the moment your firewall rules are allowing traffic of any protocol to any destination. That includes ICMP to other local subnets.
    You need to alter them to allow only traffic you want.


  • ok, but

    examples for wifi rules.
    second rule block everything packets
    first allow only packets outcoming from opt2 (wifi)
    so I think rules block packet incoming from opt1 (Multimedialna_pbp) becouse packet from source which fits for rules created at opt2 (rule blocking everything).

    I can create rule at opt1 ( block destinaton packet to opt2 ( and its work for me (not allow ping from opt1 to opt2)

    but I think is worst becouse when I have got many subnet, I will create many rules block other subnet.

    I don't know why second rule at opt2 everything do not block pakiet incoming/outcoming packet from interfaces opt2

  • How do I create rule allow only public internet example for opt 2 and opt1

  • Netgate Administrator

    Here is what have done for internet access only:

    I created an alias for all my local subnets called LOCAL. For that is but you can add whatever subnets you have.

    Then I create a firewall rule to allow any traffic that has destination NOT LOCAL. I also add rule allow access to port 53 on the adapter address so that DNS forwarding still works.


  • same problem…

    maximal unsecure, if i forgot add network to exclude of network destinations traffic run through :-(

  • Netgate Administrator

    The default behavior of LAN is to allow all traffic to any destination. This allows for ease of setup for a simple wan LAN install.
    The default behavior of any additional interfaces is block everything. If you add interfaces you must configure your firewall rules to suit your network.


  • ok, it is fine if you have one LAN
    but with multi LAN i find this setup not very good :-(
    because it is necessary to think after adding new network to aliases and create new rule to block traffic between LANs

Log in to reply