Question on one of my rules (or more)


  • For that one rule the LAN -> LAN pass.
    Is there ANY, not just usual, but any (if the only situation would be LAN->This Firewall, I want to change it to that.)

    Other than that, is there anything else that should be changed or simplified?

    The "Local_Networks" alias in the "LAN -> Local_Networks" is an alias containing the subnets for all interfaces I have, so I can put a block above the allow any rule and then just pass the inter-interfact traffic I want.  (Such as letting the printer communicate with the guest network)

    (And the LAN_DHCP -> * block is to block people who pull a DHCP address from getting online if they fall in the DHCP range rather than the static leases I assigned, as a quick way to find people who plug into the wrong network.  This is a home network, so I just smack people upside the head when they do this if I get the "I can't get online" bit)

  • LAYER 8 Netgate

    What rare event to you anticipate that involves traffic for LAN net being routed to your LAN interface?


  • @Derelict:

    What rare event to you anticipate that involves traffic for LAN net being routed to your LAN interface?

    Something from LAN to Firewall (other than the ports in anti-lockout) or LAN to Virtual IP on firewall.
    (More specifically that second one as I don't know if the "This Firewall" option would cover that.)

  • LAYER 8 Netgate

    Yes.  A better way to do what you want without source LAN net dest LAN net would be source LAN net dest LAN address.

    But on 2.2+ This Firewall is the way to go.


  • @Derelict:

    Yes.  A better way to do what you want without source LAN net dest LAN net would be source LAN net dest LAN address.

    But on 2.2+ This Firewall is the way to go.

    I'll change it to "This Firewall" over the weekend and then I'll do a test with the virtual IP case to see if PFSense handles that or if it's covered by the switching layer.