Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LAN-side subnets?

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dleifelohcs
      last edited by

      I'm putting this here since it's "installation" in the sense that I'm still working on installing it. That and I don't know where else it belongs.

      pfSense's LAN is 10.200.0.0 we'll say. That's an internal subnet for all of our Content Filtration, etc.
      Actual clients reside on 10.100.0.0/16, 10.105.0.0/24, 10.110.0.0/24, 10.115.0.0/24, 10.120.0.0/24, 10.125.0.0/24, 10.130.0.0/24. There's a Cisco router that passes all outbound traffic to the pfSense box.
      (So, 10.100.0.0 -> 10.201.0.0 -> WAN )

      I quickly discovered that pfSense won't forward traffic from 10.100.0.0 automatically, since IT's LAN is on 10.200.0.0. So I created a rule that allowed 10.100.0.0 to WAN. Fine, that worked.

      Is this really the best way to do this? Create an outgoing rule for EACH subnet? What if I need to create a rule to deny something from outgoing? Do I need to create one for each subnet?

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        Create a subnets alias at firewall>aliases likel "localsubs". Add all your local subnets there. Then edit the default lan to any rule at firewall>rules, lan tab. Change source LAN-subnet to "single host or alias " and "localsubs". Now you have a single rule that will allow all your internal subnets out. If you need to block single IPs or ports or destinations add a bloc rule on top of this rule. First match wins. You also can use aliases here for a group of hosts or ports to sum up mulitple rules in one rule.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.