Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall destination issues

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      justin.j
      last edited by

      Hi,

      Just finalising a setup of a pfSense box to migrate to it from an existing firewall setup and I'm having an issue with firewall rules.
      I have a few NICs in the box for multiple internal network 'zones' and of course one for the WAN.  I want to specify a destination so for example users in the guest zone can access HTTP, HTTPS, DNS, etc. to the WAN interface, but not to the LAN interface.  So far the only way I've been able to get it to work is by not specifying a destination.
      In the attachment you'll see a basic setup (I will be putting in a lot more rules but I need to get it working first) of my LAN interface, which from my understanding of pfSense coming from my existing firewall should allow ALL traffic from LAN > DMZ and DNS, HTTP(S) out via the WAN interface for the LAN interface.  The problem is all traffic is being blocked unless I change destination from "WAN Net" to * (On this subject also, what is the difference between XXX net and XXX address?) which I don't want as my understanding is it would then allow DNS & HTTP(S) to ALL my zones I have setup?
      FirewallRules.png_thumb
      FirewallRules.png

      1 Reply Last reply Reply Quote 0
      • V
        vindenesen
        last edited by

        Hi justin.j,

        Have a look at this thread here: https://forum.pfsense.org/index.php?topic=80027.0
        and see if that answers your questions :)

        Regarding "LAN address" vs "LAN Net", the first represents the IP address that pfSense has in that subnet. The last is the entire subnet (all clients on the subnet of the interface, including pfsense itself). For instance, if the LAN interface has an IP address of 192.168.1.1/24, then 192.168.1.1 is the "LAN address". The "LAN Net" is then 192.168.1.0/24, which covers from 192.168.1.1 to 192.168.1.255.

        Edit: added some more information.

        Support the project by buying a Gold Subscription at https://portal.pfsense.org
        Running pfSense on SuperMicro A1SRI-2758F with ESXi 5.5

        1 Reply Last reply Reply Quote 0
        • J
          justin.j
          last edited by

          Thanks for the reply.  That does answer my question and thanks for clarifying the difference between the address and net.
          It's a shame to have to specify it that way, it does seem to make things a little more complicated than previous firewalls I've used.  Never the less, pfSense does bring a lot of features that the previous haven't so it's a small price to pay.

          It would be nice to have a destination interface option for destination, so that you could pick IF:WAN and have the rule match for any network attached to that particular interface.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.