Understanding the Source "LAN net"
-
Consider this firewall rule on the LAN interface:
Allow
Source: Any
Destination: AnyI am wondering if there is any difference between that and this rule on the same LAN interface:
Allow
Source: LAN net
Destination: AnyThis question may lead to the answer:
If pfSense's LAN net is 192.168.1.0/24 but that subnet also connects to 192.168.2.0/24 through a different router, would hosts on the 192.168.2.0 subnet be allowed to send traffic out through pfSense when the Source is "LAN net" or would they be blocked since those hosts are not originating on the LAN net (though they are hitting the pfSense LAN interface)? -
My understanding is that Any is literally any valid address, and LAN net means the specific LAN subnet only. In your case, LAN net would be 192.168.1.0/24.
-
Just to add on to this you could imagine if someone hooked up a router (Not NAT) to your LAN and then tried to pass traffic from their LAN to your LAN. Making the source address LAN subnet would block traffic from the second router. This is obviously easily defeated with NAT.
-
"would hosts on the 192.168.2.0 subnet be allowed to send traffic out through pfSense when the Source is "LAN net""
No - is 192.168.2.0/24 your lan net?? ;)
The any rules allows any source IP, like your downstream 192.168.2.0/24 network to use the lan segment – but keep in mind your going to have to route that traffic, and you will need to edit the outbound nat rules to allow that to happen.
Are you sure the lan defaults to ANY as source? Im pretty sure it defaults to lan net as the default rule on the lan, the protocols are ANY, but the source I am like 99% sure is lan net. Since you would have to make adjustments to nat outbound and add a route in pfsense for any to be a viable working solution. You NEVER set gateways on the LAN interfaces in pfsense.
-
Excellent answers. Thank you everyone for your help!
Are you sure the lan defaults to ANY as source? Im pretty sure it defaults to lan net as the default rule on the lan,
I thought it defaults to Any source but since you say you're 99% sure, I'd bet you're right. I'll edit my first post.
-
I don't think it is ever wrong to filter and interface such that only traffic that should be coming in is let in, nor is it ever wrong to filter an interface such that only traffic that should be allowed to leave is allowed to leave. If more ISPs did the latter, DDoS would be a LOT harder.