Apply "anti-lockout rule" (and automatic outbound NAT) to a given interface?


  • Hello,

    I have looked at this thread: https://forum.pfsense.org/index.php?topic=41609.0.  I was unable to add a reply to it.

    Looking at the picture in reply #9, under the welcome banner the list of ports shows the interface according to the gui, then in parens the interface known by pfsense internally(?).  I see this on my system, and appear to have the same problem as Romainp: the port that pfsense considers to be the "lan" is different than what appears in the gui.

    I include four pictures.

    photo 1 is my interface/assign ports: With this, you can see that I have labeled my bridge as my "LAN".

    photo 2 is my firewall rules for the "access" port.  On this page, you can see that the auto-lockout rule is still applied to the "access" port.
    photo 3 is my firewall rules for the "lan" port.  Here you can see how the "lan" port does not have the anti-lockout rule applied to it.

    photo 4 is of my console, and the port assignments there: if you look carefully, the port that pfsense is still applying the anti-lockout rule to is still known by pfsense internally as the "lan" port, even though it's gui label is "access".

    I have rebooted several times, even turned off and back on the anti-lockout rule.

    Is there a way to force this to work?

    Thanks!

    –jason







  • Rebel Alliance Developer Netgate

    The anti-lockout rule is only for safety in case you lock yourself out with a basic configuration.

    It will only ever attach to the interface known internally as "LAN" regardless of what you have actually set for an interface description.

    You can disable the anti-lockout rule and make your own GUI access rule on whichever internal interface(s) you need to reach the GUI.

    Automatic outbound NAT is more dynamic – it works based on defined interface gateways.

    In an interface has a gateway defined (static IP + gateway selected on Interfaces > [xxx] page, or DHCP/PPPoE/etc) then it is considered a "WAN". If an interface has no gateway defined (static IP, no gateway selected on Interface config) then it's considered an internal interface. Automatic outbound NAT covers all outbound traffic from LANs out WANs.

    If you need to accommodate some other scenario (e.g. internal interface of pfSense set for DHCP) then you must use manual outbound NAT and set it up yourself.

    The automatic defaults work for most situations but they can't cover every possible combination of settings.


  • Hello Jim,

    Thank you for that explanation: it helps!  It's always interesting to see how things work under the hood.  Out of curiosity, I have pulled down the git repository, but I admit I'm a bit overwhelmed as to where to begin.

    –jason