Pass response traffic for single interface?



  • Hello,

    We have our main desktop LAN behind an internal firewall/router.

    [DesksLAN]-InternalFW-[ServiceLAN]- PFSenseFW- –-> Internet

    The pfsense firewall is the default gateway for the service LAN.  TCP Packets from the desktop LAN can route to services on the service LAN.  Response traffic from those services go to the default gateway (pfsense) to get the route back to the DesksLAN.  This response traffic is being dropped by pfsense because it is not aware of the initial request.  I know that this is appropriate behaviour for a stateful firewall.

    I can see that there is a flag in System->Advanced->Firewall/NAT - "Bypass firewall rules for traffic on the same interface".  I'd like to enable this flag for the internal LAN interface only, because the firewall rules feature is extremely useful to me in the DMZ, or implement a rule that will do the same job.

    Can this be done?

    Best regards,

    Simon



  • @sgb:

    I can see that there is a flag in System->Advanced->Firewall/NAT - "Bypass firewall rules for traffic on the same interface".  I'd like to enable this flag for the internal LAN interface only, because the firewall rules feature is extremely useful to me in the DMZ, or implement a rule that will do the same job.

    This option is usefull only you have traffic that pass only on INE interface, for example, when your gateway is the firewall and the network you want to reach will be router on lan interface instead of wan.

    Check your lan rules to see if local lan ips has access to internet and check pfsense routes to see it knows how to reach your internal network.


Locked