Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LAN rule question: source any vs source LAN_net

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bradyrtechB
      bradyrtech
      last edited by

      so kind of a pfsense 101 question, but with regards to a LAN (or a particular VLAN) firewall rules, is there a reason why you would choose source any vs. source [vlan or lan] net?

      seems like it would be best practice to use source net, unless i'm just not understanding the difference with regards to how pfSense rules work.  i've always been of the mindset to configure your firewall rules to be as specific or strict as possible.    like rules within a particular VLAN, the source should only be within that vlan… right?

      thanks!

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        If pfSense LAN is just a single subnet (99% of cases) then packets can only come to pfSense LAN IP from other IPs in the LAN subnet. Devices in the physical LAN that set their IP out of the LAN subnet simply will not work.
        But to be sure, yes IMHO it is good to narrow down rules as much as possible - thus put source LANnet on LAN interface firewall rules.

        Of course if you have an internal router on LAN that has other subnets behind it, and static routes to that… then you probably want some more networks in the source - e.g. make an Alias for all the networks hanging behind LAN and use that for source.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • bradyrtechB
          bradyrtech
          last edited by

          thanks, just wanted to make sure my understanding of source any vs source LANnet on a LAN or VLAN was correct.

          i'd rather have a more restrictive rule and have it break something or not work, forcing me to figure out why.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.