DISABLE vrs DELETE retired LAN VLAN interface

MR4043 · Jun 26, 2015, 2:47 PM

Hello,

We just migrated 5 interfaces from behind our pfSense firewall (each interface on a separate VLAN) to behind a new firewall that is managed by a PCI compliancy service provider.

The this leaves the pfSense with about 7 interfaces remaining (again on separate VLANs in most cases). A series of Firewall rules were used to route traffic between/ allow hosts on the different interfaces to communicate prior to the change. After the change we disabled each of the interfaces on the pfSense that were migrated to the new firewall. My concern is by DISABLING them instead of DELETING the migrated interfaces is there any risk that pfSense still try to follow old routing / Firewall rules that it used previously when devices on the remaining interfaces attempt to communicate with devices on the migrated interfaces (NOT desired) or will it 'know' not to try those (now invalid) rules and instead use new rules that we are in the process of building / troubleshooting that tell the pfSense to use only a special single interface that connects the two firewalls together (sort of like a private DMZ between them) - (the desired behaviour) ?

I guess annother way to ask the same question would be if you disable an interface - is it equivalent to deleting it as far as routing or attempts to route go with pfSense? or not desired: will pfSense see the destination interface is disabled and then say "there is no way to get the traffic to that host because it exists on a disabled interface" ? (my concern)

If anyone can help me out with an explanation I would be very greatful.

new to pfSense but want to learn more.
regards

phil.davis · Jun 26, 2015, 5:45 PM

The local subnets on the disabled interfaces will no longer exist in any of the real underlying networking. So packets for addresses in those subnets will no longer be delivered locally.
If there is still a pass rule on a remaining interface with destination to an "old" subnet, then the traffic will still be passed and will be routed wherever the routing table now thinks it can reach those addresses - if you do nothing else then it will go out the default route. That might cause some traffic with private IPv4 address destinations to go out the public WAN and then be dropped upstream by your ISPs router.

MR4043 · Jun 26, 2015, 6:01 PM

Thank you Phil,

Your post is very helpful. So as far as the pfSense routing table is concerned - when you disable an interface on the pfSense are any routes in the pfSense's routing table that reference that interface also disabled or removed ? or do they stay there to create a possible problem unless manually removed (in which case I have a lot of cleanup to do )

I think if you can answer this last question I will have everything I need to understand this scenario.

Regards

phil.davis · Jun 26, 2015, 7:26 PM

There are no "routes" in that sense for directly-connected interfaces. The interface will no longer have any IP address/subnet mask configured on it and the routing table will automatically not have any entry for that subnet. So there is nothing to clean up in the routing table.
Of course if you had bonus stuff like static routes that pointed to downstream routers somewhere on old interfaces, then those need to be removed.