Allow All Rule Not Completely Working



  • Hello and thank you for your time.  Here is my issue.

    Interfaces=  WAN, LAN, OPT1

    LAN=192.168.2.0/24
    OPT1=192.168.3.0/24

    Firewall > Rules > LAN tab.  This is setup by default with a Default LAN to any rule.  It allows all traffic on the LAN interface.

    Firewall > Rules > WAN tab.  I want to allow all traffic on this interface to flow the same way it does on the LAN interface.  This includes access to the internet, and other machines on the 192.168.2.0 subnet.  I created an identical rule just like I've on the LAN interface by default.

    I still find that I cannot access  the internet or resolve to the DNS server located on 192.168.2.3.

    As as workaround I watch the firewall logs and click the symbol to create an easy rule.  Once I do this for each entry, I'm able to access the internet, DNS servers, and clients from the 192.168.3.0/24 subnet.

    My assumption was that the allow all rule, would take care of this for me.  Just like it does on the LAN interface.  Obviously I'm missing something?

    The WAN rule does have the green pass symbol next to it.  I'm currently using version 2.1.5.



  • I figured this out and thought I would share the resolution here.  For the protocol option, I had selected TCP.  Which is how LAN is setup.  For some reason, on OPT1, I had to choose TCP/UDP.  That is all I had to change to get it working.


  • LAYER 8 Netgate

    It should probably be "any" on LAN and OPT1.  With TCP-only, DNS probably won't work if your LAN clients need to talk to, say, google's DNS.  With TCP/UDP, LAN clients won't be able to ping out to the internet, since that's ICMP.

    Note that rules have effect when connections are made into an interface.  If you pass traffic destined for the internet in LAN/OPT1, you don't need any rules on WAN to allow the traffic to egress.  Return traffic from the internet is passed by the already-established firewall states.


  • LAYER 8 Global Moderator

    lan is not setup with tcp out of the box, lan is setup with ANY..  If your lan was set to tcp only - you edited it.


Log in to reply