LAN rule question: source any vs source LAN_net



  • so kind of a pfsense 101 question, but with regards to a LAN (or a particular VLAN) firewall rules, is there a reason why you would choose source any vs. source [vlan or lan] net?

    seems like it would be best practice to use source net, unless i'm just not understanding the difference with regards to how pfSense rules work.  i've always been of the mindset to configure your firewall rules to be as specific or strict as possible.    like rules within a particular VLAN, the source should only be within that vlan… right?

    thanks!



  • If pfSense LAN is just a single subnet (99% of cases) then packets can only come to pfSense LAN IP from other IPs in the LAN subnet. Devices in the physical LAN that set their IP out of the LAN subnet simply will not work.
    But to be sure, yes IMHO it is good to narrow down rules as much as possible - thus put source LANnet on LAN interface firewall rules.

    Of course if you have an internal router on LAN that has other subnets behind it, and static routes to that… then you probably want some more networks in the source - e.g. make an Alias for all the networks hanging behind LAN and use that for source.



  • thanks, just wanted to make sure my understanding of source any vs source LANnet on a LAN or VLAN was correct.

    i'd rather have a more restrictive rule and have it break something or not work, forcing me to figure out why.