Completely disable firewalling for 1 NIC



  • I have 3 NIC in my device.

    1 = WAN
    2 = LAN
    3 = OPT1

    Is it possible, within pfSense, to give a sort of "WAN pass through" on the 3rd interface?
    So all my devices are connected to the LAN (2nd port) but if I temporary want to bypass all firewalling I need to plug in to port 3.
    Can that be done?



  • If I understand what you're asking corrrectly, then yes. All you have to do is set an 'allow all' rule from the OPT1 network to the outside.



  • That sounds like it! :)

    I just want port 1 to be WAN, port 2 to be LAN (with firewalling, and the last port (3) to be NOT protected.

    So for instance I want to go on the internet without any restrictions I plug my machine into port 3.


  • LAYER 8 Global Moderator

    You do understand that the default rule on lan is any any..  So really there is no firewalling actually happening.. Other than unsolicated inbound traffic.

    What is it that is not working that you think you need to not have a firewall between you and the public internet?  How many public IPs do you have?  Because if you want to put a public IP on something you plug into opt1 how your going to need more than 1 since wan of pfsense would be using your normal one.

    So you want something on pfsense opt1 to have 1:1 NAT with all ports open inbound to??  Why not just forward the ports you need to the devices you want them on, etc..



  • It's just for testing purposes.
    I have 1 IP which of course is used by the WAN interface.

    I just want the OPT1 port to be completely "unprotected" inbound and outbound.


  • LAYER 8 Global Moderator

    And how is that going to happen when pfsense has your 1 public IP??  So your NATTING to this.. You could do a 1:1 nat to the IP you want to be "unprotected"  And setup wan rules to be allow all to that IP.



  • I think you need to define what 'unprotected' actually means in this case. Do you mean you don't want anything your PC tries to access to be blocked, or do you mean you want anything on the internet to be able to access your PC? The distinction is an important one. In the latter case, going in 'unprotected' can cause you major headaches (and I'm struggling to avoid using STD jokes here).



  • Sorry if I was not clear on what I wanted.

    I confirm I don't want anything my PC tries to access to be blocked when I'm connected to the OPT1 port.



  • @Panja:

    Sorry if I was not clear on what I wanted.

    I confirm I don't want anything my PC tries to access to be blocked when I'm connected to the OPT1 port.

    This is quite easy but requires some additional information before you can set up FW rules…. because being connected behinf FW, you will need, in any case rules, even if these rules are authorizing everything both way.

    From this network to internet, as already stated, if you authorize any to any, there is no restriction.  Be sure you configure such rule for any to any in term of source and destination address but also in term of protocol. This is for the outgoing flow

    As johnpoz also highlighted, for incoming flow, you have to decide how you want to handle it.

    Either each device on this segment inherit from public IP then this is only matter of routing + FW rules (authorizing everything) or you don't own these/this IP and you will need to NAT, either 1:1 or port forwarding.

    This being said, I feel you need to clarify your request becaus ewas we discuss here is mainly FW rules but you may have other components interacting in the middle.
    e.g. transparent proxy?


  • LAYER 8 Global Moderator

    "I confirm I don't want anything my PC tries to access to be blocked when I'm connected to the OPT1 port."

    This is the default out of the box configuration for the lan interface, if you add a new optX interface it will have NO rules by default.  So you could create any any rule on it if you have restricted lan.

    But this opt1 interface is going to be in its own segment by default, are you wanting lan and opt1 to be on the same local network?  Which would be a bridge and not a very good setup.

    If you want to create restrictions on outbound traffic on lan, and then have un restricted on your opt1 network.  Then create the rules that way.

    So for example lan could be 192.168.0.0/24 and opt1 network could be 192.168.1.0/24

    Yo say restrict lan to only outbound on 80 and 443, then on opt1 network set to any any.  Anything you plug into opt1 network would get an IP on 192.168.1/24 network and be un restricted outbound to the internet.  While devices connected to lan would get 192.168.0/24 IP and could only go out on 80 and 443.

    What are you rules on your lan current?  So for example my lan rules are completely un restricted to the internet or any of my other lan segments on both ipv4 and ipv6

    Now I edited my dmz rules to so an example of those machines only being able to go to the internet on port 80 (http) and can not talk to my other segments at all

    So as we walk down the rules on dmz
    I allow ipv4 and ipv6 to ping the pfsense dmz interface
    I allow dns to pfsense dmz address
    I then block those clients from talking to anything on any of the pfsense interface both lan and wan.
    I then allow in this edited rule dmz clients to only talk to any IP that is NOT (the !) my local networks on port 80
    The last rule allows dmz clients to talk to any IP that is not my my ipv6 networks.

    If dmz client for example tried to talk https it would be blocked, since by default block any any is the last rule (not shown in pfsense)
    Rules are always INBOUND to that interface, and go from top down first rule to trigger is what happens.  There are some hidden rules not shown - for example if you enable dhcp server on an interface pfsense puts rules into allow clients to talk to your dhcp server.  So even if you have no rules or block everything they could still get an IP from your dhcp server running on pfsense.

    So if you post up your lan rules we can see how you have them restricted, but once again default is ANY ANY so if you have not edited those then anything on your lan can talk to anything it wants with the any any rule.





Log in to reply