Unable to block traffic from and to opt1 from lan



  • Okay, for some reason i can connect from my lan to the opt1 interface.
    This was allways blocked by a rule in the firewall.
    Even when i put up a rule in the opt1 to block any source, destination and protocol, i can still reach both interfaces both ways.
    One thing i changed is i'm using the new trafficshaper.
    Anyone any suggestions where i can start to find the problem ?



  • You got the flow of traffic wrong. So if you want to block traffic from lan to opt1 the rule shall be applied on the Lan rule

    • lan net * !opt1 net * * default lan -> any


  • Maybe i wasn't clear enough but basicly i want to block traffic from the opt1 interface to the lan interface.

    For testing i put this rule in opt1, it's the only rule.

    rule is block
    Proto  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description

    • *               *     *         *     *             none

    With this rule in place nothing is blocked, i can still reach the lan net from the opt1 net.



  • Try to remove all rules you have on the interface.
    If there are no rules, nothing will be allowed (there is an invisible block everything rule)



  • Don't forget to reset states when testing a new ruleset and it appears to not work (diagnostics>states, reset states).



  • Hmm,
    I'm also running a captive portal on the same interface, that still works.
    I did remove all rules and still i have access to anything once i'm logged in ?!



  • anyone any idea to help me diagnose this problem ?



  • I did a complete new install on different hardware, so started from scratch.
    Now again i'm facing the same problem, even with all rules deleted i still have access to the lan subnet from the opt1 interface. A tracert from a client on the opt1 interface shows that it goes trough the pfsense box.
    On the other hand with all rules deleted, on the lan side i can't get nowhere.



  • After some experimenting on vmware i found out the problem.
    When using the 1.2 version of 26 feb there is no problem and everything works as expected.
    However when using the 1.2 version of 23 Apr with the bountyshaper, the firewall rules on opt1 have no effect.


Log in to reply