I think my whole concept of rules might be off…

jaredadams

I'm hoping to get some clarification here. Consider the following image:

http://imgur.com/SLEopKY

Say I wanted to allow LAN1 to talk to LAN2, but NOT LAN3

It doesnt seem like I'm able to put a rule on LAN3's interface with:

DENY SOURCE: LAN1 NET, DESTINATION: LAN3 NET

Any rule I place on LAN3's interface that DOES NOT have a source of LAN3 seems to be ignored. LAN3 I'd like to have pretty locked down. So for instance if I had a webserver back there I want to only allow traffic to it on port 80 and thats it. I would think, assuming LAN1 and LAN2 of course having the ANY/ANY Rule on them, I'd put two rules on LAN3's interface :

1. ALLOW - SOURCE: ANY, DESTINATION: webserver-80
2. DENY - SOURCE:ANY, DESTINATION: LAN3 NET

But that doesnt work. What am I doing wrong here?

ptt

https://doc.pfsense.org/index.php/Example_basic_configuration#Caveats

https://doc.pfsense.org/index.php/Firewall_Rule_Basics

Always remember that rules on Interface tabs are matched on the INCOMING Interface.

Derelict

Yes. they're off.

https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

Firewall rules are processed when a session is started coming INTO an interface. This means connections from your LAN computers to web pages, DNS servers, mail servers, etc., are handled by rules on your LAN interface. If you have port forwards permitting connections from the internet inbound to local servers these go on your WAN interface. This is the single concept that you need to grasp when designing your network at the start.

If you want to only allow connections to a specific host on LAN3 port tcp 80 you would do something like this:

WAN
pass ipv4 tcp from any to lan3_host port 80
block ipv4 any from any to lan3_host

LAN1
pass ipv4 tcp from LAN1 net to lan3_host port 80
block ipv4 any from LAN1 net to lan3_host

LAN2
pass ipv4 tcp from LAN2 net to lan3_host port 80
block ipv4 any from LAN2 net to lan3_host

Nothing you put on LAN3 has anything to do with it.

Think of it this way. Firewall rules on interface tabs allow connections into pfSense. Once inside, the connection already has permission to get out the necessary interface. Return traffic (ACKs, etc) is also automatically allowed by the stateful firewall.

jaredadams

Thanks guys. Great replies. I appreciate it.

I guess pfsense behaves a little different than I"m used to. I'm currently studying for CCENT and am at the last parts that cover routing and ACL's. On some of the labs I'm taking it seems I can do what I was trying to do in my original post by placing some rules on the LAN3 interface that block traffic with SOURCES from LAN1 or LAN2. I dont necessarily think this is a bad thing, its just different.

Thanks so much.

KOM

This may also be helpful:

![pfSense Inbound vs Outbound.png](/public/imported_attachments/1/pfSense Inbound vs Outbound.png)
![pfSense Inbound vs Outbound.png_thumb](/public/imported_attachments/1/pfSense Inbound vs Outbound.png_thumb)

Harvy66

@jaredadams:

Thanks guys. Great replies. I appreciate it.

I guess pfsense behaves a little different than I"m used to. I'm currently studying for CCENT and am at the last parts that cover routing and ACL's. On some of the labs I'm taking it seems I can do what I was trying to do in my original post by placing some rules on the LAN3 interface that block traffic with SOURCES from LAN1 or LAN2. I dont necessarily think this is a bad thing, its just different.

Thanks so much.

Since you mentioned CCENT. Many L3/L4 switches can do line rate ACLs via ASICs on ingress, but egress ACLs are all handled by the host CPU. Be careful of using egress ACLs, you could easily tank your switch's performance.