Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Source, dest choices in firewall rules are unclear

    Scheduled Pinned Locked Moved webGUI
    4 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Paul47
      last edited by

      Sorry for the dumb question, but I'm having trouble understanding these fields. I have much better luck looking at examples, so if someone could present me some I would appreciate it.

      Assume we are talking about the LAN with a net there of 192.168.5.0/24

      What are examples of addresses for:
      any
      Single host or alias
      Network
      PPTP clients
      LAN subnet
      LAN address

      In terms of opv4, I'm guessing "any" means any address in the range from 0.0.0.0 to 255.255.255.255? "Single" means a particular address in that range? "Network" means any address in the range of 192.168.5.0 through 192.168.5.255?

      "PPTP" I have no idea, "LAN subnet" sounds like the same thing as "Network", and "LAN address" also sounds like the same thing as "Network", or maybe "Single".

      Also, why do choices like "WAN subnet" even appear at all on the LAN list of choices?

      I looked in the pfsense book but no help there, nor was there anything in the little "?" button of the edit rules page. I can't find any place that really spells this jargon out. Perhaps the terms mean very specific things to people who work on networks for a living, but that ain't me.

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        any - 0.0.0.0 to 255.255.255.255, all IPv6 addresses
        Single host or alias - select this and you can type in an actual specific IP address (like 1.2.3.4 or aa:bb:cc:dd::1) or type the name of an Alias (that you already entered in Firewall->Alias)
        Network - select this and you can enter a network and bitmask of your choosing (like 10.99.0.0/16 aa:bb:cc:dd::0/64)

        PPTP clients - pfSense will find and use the addresses of PPTP clients
        LAN subnet - pfSense will use whatever your LAN subnet is from time-to-time
        LAN address - pfSense will use whatever your LAN address is from time-to-time
        This group are handy because you can make generic rules that refer to your LAN… then if you change your LAN IP, LAN subnet in future, the rules get rebuilt correctly, you don't have to come back to the rules and change anything.

        Yes, when editing a rule on LAN, having "WAN subnet" and "WAN address" in the dropdown list for the source IP is not really necessary - there should not be any traffic arriving on LAN interface with source IP in the WAN subnet! But who knows what unusual use cases there might be (might want to block WAN subnet in case someone is spoofing WAN addresses from LAN?), and it would be quite complex to work out exactly what things to exclude from the dropdown list depending on the rule interface, whether it is source IP or destination IP field or...

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • P
          Paul47
          last edited by

          So, you are saying "Network" and "LAN subnet" are identical, but the former is a constant, while the latter is a variable dependent on the address assigned to the LAN interface? That's useful…

          And "LAN address" is likewise a variable, equivalent to the address assigned to the LAN interface? That is, just a single address?

          I guess I don't need to know about PPTP. Ignorance is bliss!

          I wish your explanation was provided by the help button on that page.

          Thanks for responding!

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            @Paul47:

            I wish your explanation was provided by the help button on that page.

            Ask and you shall receive https://doc.pfsense.org/index.php/Firewall_Rule_Basics

            That is the page linked too, since phil was kind of enough to write it up, I figured I could take a couple of minutes and add them to the wiki.  Thanks Phil!  Your other great post about multiwan and rules needs to be added too, off next week its on my todo list ;)

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.