Really Basic Firewall rules question



  • I thought I understood what I was doing, but maybe not.

    I have a small test pfsense configured with 2 VLAN interfaces.
    So the interfaces are:

    • WAN

    • LAN

    • VLAN_10

    • VLAN_20

    I am reducing the test objective to:  Blocking ICMP from VLAN_20  to    VLAN_10

    The Docs state:

    Firewall rules on Interface and Group tabs process traffic in the Inbound direction
    That makes sense, but right now I'm almost convinced it works the other way around for me.

    I clicked Reset State after every rule change to try and reduce false positives

    Scenario 1:
    I activate these rules on VLAN_20

    This works! 
    When I am a client on VLAN_20, I can not ping a client on VLAN_10
    ..but this seems to work the reverse of what the Docs say:  This seems to control the interface's outbound traffic, not it's inbound traffic

    Scenario 2:
    I activate these rules on VLAN_10  (disabling the above block)

    This does not work.
    When I am a client on VLAN_20, I can still ping a client on VLAN_10
    When I am a client on VLAN_10, I cannot ping anything outside of VLAN_10
    Again, this appears to work different then I expected.  Why can an external ping reach a client on VLAN_10?

    Maybe I have been looking at this for too long, but right now it looks like Firewall rules control outbound traffic for each interface.
    Can someone explain in simple terms how to think of the relationship between Rules/interfaces/source/destination



  • This seems to control the interface's outbound traffic, not it's inbound traffic

    Well, if an interface isn't letting anything in, it certainly won't pass it along to another interface.

    Why can an external ping reach a client on VLAN_10?

    Because you have the block on the wrong interface.

    but right now it looks like Firewall rules control outbound traffic for each interface.

    Nope, rules are applied on inbound traffic.



  • Because you have the block on the wrong interface.

    I seem to be missing something basic.
    Help me visualize what is IN and what is OUT in this context.

    To me, VLAN_10 inbound traffic would mean
    From Outside VLAN_10 Subnet –> VLAN_10 Interface --> VLAN_10 Subnet

    Is that correct?


  • LAYER 8 Netgate

    No. Think about it as the interface into which the request is entering pfSense.

    If hosts out on the internet make a connection, the request first arrives on WAN, so that's where the rule needs to be.

    If LAN hosts request web pages, the requests first arrive on LAN, so that's where the rule needs to be.

    Once a packet/connection request is allowed INTO pfSense, it is routed and allowed OUT the proper interface by default. No rules necessary.  Also, return traffic (SACKs, ACKs, NAKs, UDP responses, etc) is allowed by default.  This is what it means to be a stateful firewall instead of just a packet filter.

    Firewall rules allow or deny initial connections into the router.

    https://doc.pfsense.org/index.php/Firewall_Rule_Basics

    https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting



  • this will help to visualize

    ![pfSense traffic rules.jpg](/public/imported_attachments/1/pfSense traffic rules.jpg)
    ![pfSense traffic rules.jpg_thumb](/public/imported_attachments/1/pfSense traffic rules.jpg_thumb)



  • Thank you, now the behavior I observe is consistent with the terminology.

    All subnets are equally 'External' to the router, go it


Log in to reply