Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    The "NOT" checkbox…

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jaredadams
      last edited by

      http://i.imgur.com/JagT1X1.png

      Does that check box also apply to the Desintation Port Range section right below it?

      I want to use a firewall rule to direct port 80/443 out one wan, and then EVERYTHING else, (using a NOT 80/443 rule) out another WAN.

      Possible? Or is there another way to do this?

      1 Reply Last reply Reply Quote 0
      • D Offline
        DerBachmannRocker
        last edited by

        You can take a look "uner the hood" to see for yourself what rules are being generated from the GUI data. Go to "Diagnostics" -> "Commandline". Execute the command

        pfctl -sa

        This will dump the rules file to the screen that is internally used by the PF firewall. I ticked the box on a rule, applied the change and dumped it. Here is what I got:

        pass quick on em0 inet proto tcp from 10.222.0.0/16 to ! <hostinfrastructserversold>port 1025:5000 flags S/SA keep state label "USER_RULE: Test Rule"

        According to this page that explains PF firewall syntax, you can put a NOT in front of the destination port. But PFSense does not expose this feature, so you are screwed.
        http://www.openbsd.org/faq/pf/filter.html

        You could do the abomination I put as attachment. Or (much better style) use 2 separate rules. Unfortunately I have no experience with PFSense + 2 WANs. Maybe you need to look at Policy Routing instead of firewall rules…

        ![exclue port.png](/public/imported_attachments/1/exclue port.png)
        ![exclue port.png_thumb](/public/imported_attachments/1/exclue port.png_thumb)</hostinfrastructserversold>

        1 Reply Last reply Reply Quote 0
        • N Offline
          Nachtfalke
          last edited by

          The "NOT" does not work for the ports on the GUI.

          But you do not need this. Rules will be affected from TOP to DOWN.
          So your first rule is the rule which allows traffic for port 80 and 443 on WAN1.
          Your second rule allows all traffic with all ports on WAN2. This is working because if there comes traffic with destination port 80/443 it will hit the first rule and use this rule. It will never hit the second rule.

          Hope this will help you.

          1 Reply Last reply Reply Quote 0
          • J Offline
            jaredadams
            last edited by

            But wouldnt this rule have to be on the LAN interface and use the gateway option?

            If I put this rule on the WAN interface for outbount traffic will the WAN rule redirect traffic to another way.

            Since the NOT rule doesnt apply to ports I was thinking of creating aliases for "TRAFFICWAN1" and give it port 80 and 443
            Then make another alias "TRAFFICWAN2" and have aliases for 1:79, 81:442, and 444:65500

            Then make a rule on the LAN interface that directs each alias out the appropriate WAN.

            This sound right?

            1 Reply Last reply Reply Quote 0
            • N Offline
              Nachtfalke
              last edited by

              What you say is correct.

              What I meant in my post with WAN1 and WAN2 is the gateway. I didn't explaint that correct.
              The rules - of course - must be on the LAN interface.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.