Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    * vs. subnet as source for pass rules?

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 4 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      srynoname
      last edited by

      I have an interface called "myInterface" with 192.168.1.0/24. When defining a pass rule, is there a difference between * and selecting "myInterface subnet" as the source? Does the later one prevent IP spoofing?

      1 Reply Last reply Reply Quote 0
      • G
        gderf
        last edited by

        You haven't provided enough information as to the context of the rule and exactly what you are trying to allow (or prevent) with it.

        Having said that, I would venture to say that many, many reports saying "it doesn't work" in the NAT/Firewall rule area involve a rule that specifies a source address or network instead of "any."

        1 Reply Last reply Reply Quote 0
        • S
          srynoname
          last edited by

          OK, a use case:
          Imagine I have a WAN and a LAN interface, so basically a simply pfsense standard setup.
          LAN interface is 192.168.1.0/24, the only rule on the LAN interface is either

          1. source: *, destination: *, port: 80,443
            or
          2. source: lan subnet, destination: *, port: 80,443

          Now a client is plugged into the LAN port. Are there any possible differences between the rules? What if the client e.g. doesn't have a IP of the subnet 192.168.1.0/24? Will his HTTP access be blocked in case of rule 2?

          1 Reply Last reply Reply Quote 0
          • G
            gderf
            last edited by

            @srynoname:

            What if the client e.g. doesn't have a IP of the subnet 192.168.1.0/24? Will his HTTP access be blocked in case of rule 2?

            If the client plugged into the LAN port doesn't have an IP address within 192.168.1.0/24, then it will not be able to communicate on that interface at all. It's not a matter of rules.

            1 Reply Last reply Reply Quote 0
            • F
              focalguy
              last edited by

              Where I've seen this break is if you have another router on 192.168.1.0/24…. and behind it is say 192.168.2.0/24 and a device on that subnet tries to get out the WAN on your original router it will be blocked by the rule with "lan subnet" applied.

              Basic idea is only allow what's needed. If you need to allow a second subnet through then specifically allow it but don't put any unless you really don't care where the traffic is coming from.

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                @focalguy:

                Where I've seen this break is if you have another router on 192.168.1.0/24…. and behind it is say 192.168.2.0/24 and a device on that subnet tries to get out the WAN on your original router it will be blocked by the rule with "lan subnet" applied.

                That's really the only difference. The built-in antispoofing will prevent traffic sourced from an interface where that network doesn't actually reside per the routing table, so if you have a single subnet on LAN and no routes via that interface for instance, using "LAN subnet" or "any" for the source is functionally equivalent.

                1 Reply Last reply Reply Quote 0
                • S
                  srynoname
                  last edited by

                  I've just seens I forgot to say thanks foru your posts, now I understand the (seldom) difference :-)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.