Source, dest choices in firewall rules are unclear



  • Sorry for the dumb question, but I'm having trouble understanding these fields. I have much better luck looking at examples, so if someone could present me some I would appreciate it.

    Assume we are talking about the LAN with a net there of 192.168.5.0/24

    What are examples of addresses for:
    any
    Single host or alias
    Network
    PPTP clients
    LAN subnet
    LAN address

    In terms of opv4, I'm guessing "any" means any address in the range from 0.0.0.0 to 255.255.255.255? "Single" means a particular address in that range? "Network" means any address in the range of 192.168.5.0 through 192.168.5.255?

    "PPTP" I have no idea, "LAN subnet" sounds like the same thing as "Network", and "LAN address" also sounds like the same thing as "Network", or maybe "Single".

    Also, why do choices like "WAN subnet" even appear at all on the LAN list of choices?

    I looked in the pfsense book but no help there, nor was there anything in the little "?" button of the edit rules page. I can't find any place that really spells this jargon out. Perhaps the terms mean very specific things to people who work on networks for a living, but that ain't me.



  • any - 0.0.0.0 to 255.255.255.255, all IPv6 addresses
    Single host or alias - select this and you can type in an actual specific IP address (like 1.2.3.4 or aa:bb:cc:dd::1) or type the name of an Alias (that you already entered in Firewall->Alias)
    Network - select this and you can enter a network and bitmask of your choosing (like 10.99.0.0/16 aa:bb:cc:dd::0/64)

    PPTP clients - pfSense will find and use the addresses of PPTP clients
    LAN subnet - pfSense will use whatever your LAN subnet is from time-to-time
    LAN address - pfSense will use whatever your LAN address is from time-to-time
    This group are handy because you can make generic rules that refer to your LAN… then if you change your LAN IP, LAN subnet in future, the rules get rebuilt correctly, you don't have to come back to the rules and change anything.

    Yes, when editing a rule on LAN, having "WAN subnet" and "WAN address" in the dropdown list for the source IP is not really necessary - there should not be any traffic arriving on LAN interface with source IP in the WAN subnet! But who knows what unusual use cases there might be (might want to block WAN subnet in case someone is spoofing WAN addresses from LAN?), and it would be quite complex to work out exactly what things to exclude from the dropdown list depending on the rule interface, whether it is source IP or destination IP field or...



  • So, you are saying "Network" and "LAN subnet" are identical, but the former is a constant, while the latter is a variable dependent on the address assigned to the LAN interface? That's useful…

    And "LAN address" is likewise a variable, equivalent to the address assigned to the LAN interface? That is, just a single address?

    I guess I don't need to know about PPTP. Ignorance is bliss!

    I wish your explanation was provided by the help button on that page.

    Thanks for responding!


  • LAYER 8 Global Moderator

    @Paul47:

    I wish your explanation was provided by the help button on that page.

    Ask and you shall receive https://doc.pfsense.org/index.php/Firewall_Rule_Basics

    That is the page linked too, since phil was kind of enough to write it up, I figured I could take a couple of minutes and add them to the wiki.  Thanks Phil!  Your other great post about multiwan and rules needs to be added too, off next week its on my todo list ;)


Log in to reply