Opt1 interface ignoring firewall rules



  • Hi all,

    I'm probably missing something obvious here but I've been messing with this for a day and am stumped.

    I've got pfsense up and running in a vm. I'm trying to set it up as a router between two networks, so I've got my production connection (LAN) and my test lab connection (OPT1). WAN has been left unconfigured.

    It's my understanding that by default all traffic on an interface is blocked? the OPT1 interface is allowing all traffic it seems. I've tried adding explicit deny all's, I've tried clearing down the firewall state and more but no matter what OPT1 allows all traffic.

    status -> system logs -> firewall show nothing hitting that opt1 interface whereas diagnostics -> states shows my ping connection quite happily.

    Is the firewall not bound to the OPTx interfaces by default or something?

    Thanks.

    Gary.


  • Netgate Administrator

    Ping traffic from where to where?
    You're right, all traffic entering the OPT interface will be blocked if you haven't added any rules. It does not block traffic leaving the interface.

    Steve



  • @stephenw10:

    Ping traffic from where to where?
    You're right, all traffic entering the OPT interface will be blocked if you haven't added any rules. It does not block traffic leaving the interface.

    Steve

    That's what I thought but if I ping from another machine on the LAN to the OPT1 interface I get a reply.



  • So a bit more digging and I find that the traffic isn't hitting the OPT1 interfact but the LAN interface and being routed internally in PFsense.

    I removed pfsense and reinstalled as somewhere along the line I majorly screwed something up and it's working perfectly now.


  • Netgate Administrator

    @garyw:

    if I ping from another machine on the LAN to the OPT1 interface I get a reply.

    That is the expected behaviour. I assume you mean another machine on the OPT1 subnet but the same would be true for the OPT1 interface itself.

    There is a default firewall rule on LAN that allows all traffic to anywhere. 'anywhere' includes the OPT1 subnet so pings from a LAN client can reach an OPT1 client. The ping response is allowed back because the state has been opened already. If you tried to do the same in reverse, ping a LAN client from the OPT1 subnet, you'll find it is blocked.
    If you don't want that to hapen you have to modify the default LAN rules to be more restrictive.

    Steve


Locked