LAN-side subnets?

  • I'm putting this here since it's "installation" in the sense that I'm still working on installing it. That and I don't know where else it belongs.

    pfSense's LAN is we'll say. That's an internal subnet for all of our Content Filtration, etc.
    Actual clients reside on,,,,,, There's a Cisco router that passes all outbound traffic to the pfSense box.
    (So, -> -> WAN )

    I quickly discovered that pfSense won't forward traffic from automatically, since IT's LAN is on So I created a rule that allowed to WAN. Fine, that worked.

    Is this really the best way to do this? Create an outgoing rule for EACH subnet? What if I need to create a rule to deny something from outgoing? Do I need to create one for each subnet?

  • Create a subnets alias at firewall>aliases likel "localsubs". Add all your local subnets there. Then edit the default lan to any rule at firewall>rules, lan tab. Change source LAN-subnet to "single host or alias " and "localsubs". Now you have a single rule that will allow all your internal subnets out. If you need to block single IPs or ports or destinations add a bloc rule on top of this rule. First match wins. You also can use aliases here for a group of hosts or ports to sum up mulitple rules in one rule.

Log in to reply