Floating vs WAN rule



  • I'm doing a test rule, trying to block pinging www.google.com (ping typically hits 216.58.208.36)

    BLOCK, protocol any, destination: network 216.58.0.0/24

    • When I make a floating rule, targeting only the WAN interface, it correctly blocks.
    • When I make a WAN rule, it doesn't block

    Why is that?

    pfSense 2.3. Can someone verify?



  • The non-floating rules apply only to traffic coming IN on an interface. In other words the pings you're using for testing your rules are going OUT on the WAN interface and the non-floating rules won't apply to the them.



  • RTFM fail  :-[

    On a separate but related out direction note..

    I'm now kind of confused as to why I'd have a host rule defining an alternate gateway (VPN) in the LAN section because typically you would think that the traffic needs to flow in AND out over this alternate gateway and since out is only on floating rules, shouldn't mine be a floating rule?


  • LAYER 8 Netgate

    When you want to route traffic out a certain gateway (VPN or not) you want to match the traffic when the state is being created. That happens on LAN when a LAN host starts a connection. It really is the easiest/best place for the policy routing rule.

    You have to have a rule there passing the traffic anyway. It might as well just do the policy routing too.


Log in to reply