Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Opt1 interface ignoring firewall rules

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      garyw
      last edited by

      Hi all,

      I'm probably missing something obvious here but I've been messing with this for a day and am stumped.

      I've got pfsense up and running in a vm. I'm trying to set it up as a router between two networks, so I've got my production connection (LAN) and my test lab connection (OPT1). WAN has been left unconfigured.

      It's my understanding that by default all traffic on an interface is blocked? the OPT1 interface is allowing all traffic it seems. I've tried adding explicit deny all's, I've tried clearing down the firewall state and more but no matter what OPT1 allows all traffic.

      status -> system logs -> firewall show nothing hitting that opt1 interface whereas diagnostics -> states shows my ping connection quite happily.

      Is the firewall not bound to the OPTx interfaces by default or something?

      Thanks.

      Gary.

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Ping traffic from where to where?
        You're right, all traffic entering the OPT interface will be blocked if you haven't added any rules. It does not block traffic leaving the interface.

        Steve

        1 Reply Last reply Reply Quote 0
        • G
          garyw
          last edited by

          @stephenw10:

          Ping traffic from where to where?
          You're right, all traffic entering the OPT interface will be blocked if you haven't added any rules. It does not block traffic leaving the interface.

          Steve

          That's what I thought but if I ping from another machine on the LAN to the OPT1 interface I get a reply.

          1 Reply Last reply Reply Quote 0
          • G
            garyw
            last edited by

            So a bit more digging and I find that the traffic isn't hitting the OPT1 interfact but the LAN interface and being routed internally in PFsense.

            I removed pfsense and reinstalled as somewhere along the line I majorly screwed something up and it's working perfectly now.

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              @garyw:

              if I ping from another machine on the LAN to the OPT1 interface I get a reply.

              That is the expected behaviour. I assume you mean another machine on the OPT1 subnet but the same would be true for the OPT1 interface itself.

              There is a default firewall rule on LAN that allows all traffic to anywhere. 'anywhere' includes the OPT1 subnet so pings from a LAN client can reach an OPT1 client. The ping response is allowed back because the state has been opened already. If you tried to do the same in reverse, ping a LAN client from the OPT1 subnet, you'll find it is blocked.
              If you don't want that to hapen you have to modify the default LAN rules to be more restrictive.

              Steve

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.