Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Really Basic Firewall rules question

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 4 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N Offline
      Norsak
      last edited by

      I thought I understood what I was doing, but maybe not.

      I have a small test pfsense configured with 2 VLAN interfaces.
      So the interfaces are:

      • WAN

      • LAN

      • VLAN_10

      • VLAN_20

      I am reducing the test objective to:  Blocking ICMP from VLAN_20  to    VLAN_10

      The Docs state:

      Firewall rules on Interface and Group tabs process traffic in the Inbound direction
      That makes sense, but right now I'm almost convinced it works the other way around for me.

      I clicked Reset State after every rule change to try and reduce false positives

      Scenario 1:
      I activate these rules on VLAN_20

      This works! 
      When I am a client on VLAN_20, I can not ping a client on VLAN_10
      ..but this seems to work the reverse of what the Docs say:  This seems to control the interface's outbound traffic, not it's inbound traffic

      Scenario 2:
      I activate these rules on VLAN_10  (disabling the above block)

      This does not work.
      When I am a client on VLAN_20, I can still ping a client on VLAN_10
      When I am a client on VLAN_10, I cannot ping anything outside of VLAN_10
      Again, this appears to work different then I expected.  Why can an external ping reach a client on VLAN_10?

      Maybe I have been looking at this for too long, but right now it looks like Firewall rules control outbound traffic for each interface.
      Can someone explain in simple terms how to think of the relationship between Rules/interfaces/source/destination

      1 Reply Last reply Reply Quote 0
      • KOMK Offline
        KOM
        last edited by

        This seems to control the interface's outbound traffic, not it's inbound traffic

        Well, if an interface isn't letting anything in, it certainly won't pass it along to another interface.

        Why can an external ping reach a client on VLAN_10?

        Because you have the block on the wrong interface.

        but right now it looks like Firewall rules control outbound traffic for each interface.

        Nope, rules are applied on inbound traffic.

        1 Reply Last reply Reply Quote 0
        • N Offline
          Norsak
          last edited by

          Because you have the block on the wrong interface.

          I seem to be missing something basic.
          Help me visualize what is IN and what is OUT in this context.

          To me, VLAN_10 inbound traffic would mean
          From Outside VLAN_10 Subnet –> VLAN_10 Interface --> VLAN_10 Subnet

          Is that correct?

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            No. Think about it as the interface into which the request is entering pfSense.

            If hosts out on the internet make a connection, the request first arrives on WAN, so that's where the rule needs to be.

            If LAN hosts request web pages, the requests first arrive on LAN, so that's where the rule needs to be.

            Once a packet/connection request is allowed INTO pfSense, it is routed and allowed OUT the proper interface by default. No rules necessary.  Also, return traffic (SACKs, ACKs, NAKs, UDP responses, etc) is allowed by default.  This is what it means to be a stateful firewall instead of just a packet filter.

            Firewall rules allow or deny initial connections into the router.

            https://doc.pfsense.org/index.php/Firewall_Rule_Basics

            https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

            https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • N Offline
              n3by
              last edited by

              this will help to visualize

              ![pfSense traffic rules.jpg](/public/imported_attachments/1/pfSense traffic rules.jpg)
              ![pfSense traffic rules.jpg_thumb](/public/imported_attachments/1/pfSense traffic rules.jpg_thumb)

              1 Reply Last reply Reply Quote 0
              • N Offline
                Norsak
                last edited by

                Thank you, now the behavior I observe is consistent with the terminology.

                All subnets are equally 'External' to the router, go it

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.