Traffic not blocked across interfaces?



  • Hi,

    I wonder if someone can clarify how firewalling across interfaces works with pfsense as it seems to make no sesne to me.

    I have 1 wan and multiple lan interfaces each with a /27 applied. I would expect that traffic from 172.16.1.0/27 would be blocked from reaching anything on, say, 172.16.1.32/27 but this is not the case, traffic flows freely across the interfaces. I've added a block rule explicitly and still the traffic gets through.

    The only way I can seem to block it is by using a floating deny which isnt really what I want as then I have to put all of the exceptions in floating rules when ultimately I want to add the exceptions specifically to each interface.

    Am I just missing something or is this for some reason, by design?



  • I found the same behaviour when I set up two LAN interfaces on my own firewall. I stopped traffic from crossing the two networks by putting in REJECT rules to/from each of the LAN networks at or near the top of my ruleset. I'm not a developer/maintainer, so I can't say whether this is by design or not.



  • @muswellhillbilly:

    I found the same behaviour when I set up two LAN interfaces on my own firewall. I stopped traffic from crossing the two networks by putting in REJECT rules to/from each of the LAN networks at or near the top of my ruleset. I'm not a developer/maintainer, so I can't say whether this is by design or not.

    Thanks, I'll revisit my rules later but this seems very counter-intuitive, imo nothing should be allowed into an interface unless there is a specific rule to allow it and the docs I have read on pfsense seem to indicate that this is the case so still not convinced I haven't configured something incorrectly.



  • Well I've gone back to my rules and I just cant get this to work in any sane manner.

    Here's what I have configured:

    lan_1 - 172.16.1.32/27
    lan_2 - 172.16.1.64/27

    Alias: Private -> 172.16.0.0/16

    lan_2 rule:

    Action - Reject
    Interface - lan_2
    TCP/IP - v4
    Protocol - Any
    Source - Alias Private
    Destination - any

    And then from 172.16.1.34:

    PING 172.16.1.66 (172.16.1.66) 56(84) bytes of data.
    64 bytes from 172.16.1.66: icmp_seq=1 ttl=63 time=0.186 ms

    Why on earth would this happen, why would traffic even be allowed by default and why does it not get blocked with an explicit rule? Just makes no sense at all to me.

    As I said before, the ONLY way I can appear to stop traffic crossing interfaces is with a floating rule but this again makes little sense as if I want certain traffic to be able to cross certain interfaces, the rules have to go into floating and not on the interface tab which is not intuitive.

    does anyone know why this is the case?

    Edit - So it appears that the above rule is actually stopping traffic going the other way. Seems like you have to handle the restriction via disallowing the outbound traffic from the source interface unless I am misunderstanding something??

    This is definitely not a sane way to firewall things for me and going to be much less sensible when you have a lot of interfaces and a lot of admins.

    Can this be worked around? Is it possible to have a floating rule to block all traffic across interfaces but still be able to override for specific cases using the interface rules?


Log in to reply