Firewall Rules - FLOATING, WAN, LAN, OPT1

  • As we go through learning to put Rules into our pfSense Firewall, there is a certain time to some people who are confused where to put their Rules, and how effective it is was. Even me can't tell where to put them exactly.

    So can anyone share their thoughts/understanding about Firewall Rules?
    When to apply rules in FLOATING? WAN? LAN? OPT1?


  • Floating rules are useful if you want the rule to apply to all interfaces, or if you want the rule to apply without the 'quick' option, or in other words if you want to apply more than one rule to a packet.

    If you want to apply a rule only to packets incoming on a single interface, and you want the firewall to stop filtering the packet after the rule is matched, then it is generally wiser to create that rule on the specific interface.

    Note that the Floating rules are parsed first, so if a packet matches a floating rule that has the 'quick' option set, that packet will not be filtered any further against any rule on any interface.

  • Hello all:

    This is my first post.

    I have put many hours into attempting to setup the shaper on  2.0. Perhaps it's because I'm a Linux guy, but I can't get my mind around how this shaper config works. No matter what combination I try, I can't get l7 profiles to work. It either completely stops throughput, puts all traffic in the specified queue simply because it's the last floating rule, or has no effect at all.

    So I think what would help is if somebody can answer the following:

    1. Is it better to put l7 in floating, or does it matter?
    2. In floating rules what exactly does "Choose on which interface packets must come in to match this rule." mean? Because I have had more luck selecting the iface packets go out from, not in? Is it a typo?
    3. Associated to question 2…what does the direction selector do? It seems ambiguous since the option above it is the interface packets "come in" on, implying that the rule only applies to inbound packets anyway.
    4. In the advanced section: are they match criteria, or directives? If I specify an l7 profile/container, does that mean it's a criteria to match or is it forcing the box to treat traffic specified in the rule as such data?
    5. When creating a rule with a l7 container, should we specify a queue or does the l7 container queue action do that without a specified queue in the rule?
    6. The queues themselves are all created with the same names for each iface even though they are separate queues, is there logic in the box to know which queue to use, or is it up to us to change the names after the wizard is run?
    7. When specifying an ack queue in a rule, I noticed that unless I specify an ack queue on the same iface, the ack traffic seems to actually go to the default queue on that iface rather than the specified WAN ack queue. Why would the ack queue be on the internal iface instead of the external iface for WAN data?


Log in to reply