-SOLVED- Help understanding where to create rules with three networks attached



  • SOLVED
    Of course, after I write a small dissertation, I find my answer in the docs (finally). Here is what I found on the Firewall RUle Troubleshooting page:
    Interface Selection
    Be sure that the rules are on the proper interface. Imagine sitting inside of the pfSense box. Sure, it's a little crowded in there, but this can help. Imagine packets flying in from the different networks that the pfSense box ties together. The rules will be placed on the interface they entered from. If a packet is going from the LAN to the pfSense box, then out to the Internet, the rules still enter on the LAN. If a packet is coming from the Internet to the pfSense box, the rule goes on the WAN interface.

    I've been trying to look a the the forum and at documentation, but I'm not clear on how the environment I'm building "needs" rules applied.
    Here is my setup:

    WAN is defautl route, goes to the Internet.
    LAN connectes to RFC1918 IP space, and there are routes for RFC 1918 spce pointed to an internal gateway
    OPT1 is a range of public IP's, all of which will be NAT's through a gateway connected to the network.

    I already have LAN and WAN rules communicating as I want, and NAT working just fine for the IP's on the LAN. Adding the public IP's on the OPT1 interface has given me a bit of a quandry - if I want a /24 that is on the Internet to have direct access to an IP on OPT1 (not the pfsense IP, mind), Where do I write the rule?  Do I write a rule under WAN?  Or on the OPT1 group of rules?

    Also, since the IP's on the OPT1 are publicly routeable, I DON'T want them hidden behind NAT, where I do want traffic source form the LAN interface (say, web traffic) to hide-nat behind the WAN IP address when accessing IP's on the Internet.  I am not certain if I require the LAN and OPT1 networks to communicate directly or not, I may want the traffic sourced from the LAN and destined to OPT1 to hide behind the external IP of the firewall, but that is very much going to depend on factors currently outside my control.

    I am avoiding "Floating" rules because they don't insert in the individual interface rules predictably, in my experience.  I'm totally down with writing two rules on separate interfaces, instead of one floating, rule when the two rules provide the same result every time. In my experience, changes made to individual rules can affect whether a floating rule continues to process as expected, which simply leads to mistakes and outages.  If there are some hard fast rules that I can learn and teach to others quickly aobut floating rules, I'd consider them again, after testing of course :)

    Please forgive me if this seems obvious to this group, but I come from an environment (checkpoint) where firewall rules aren't applied to a particular interface - you just write one security ruleset that describes the traffic you want to allow to and from where, what to drop/reject, and you are on your way.  I'm not clear on what source/destination combinations require rules on which interface when there are three or more interfaces in pfsense.  Thanks!