Netgate SG-1000 microFirewall

Author Topic: Understanding Firewall Between LAN and OPT1  (Read 182 times)

0 Members and 1 Guest are viewing this topic.

Offline msalvatore

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Understanding Firewall Between LAN and OPT1
« on: December 02, 2017, 06:14:19 pm »
Hi Everyone,

I'm very new to PFSense and I'm loving it so far. I don't have much experience with firewalls, so this may be standard behavior that I'm just not familiar with. I've also read some conflicting information on the matter so I would appreciate if someone could set the record straight.

pfSense Version: 2.4.2
Setup: I have a network on the LAN interface (172.25.50.0/24) and a network on the OPT1 interface (192.168.25.0/24).
Expectation: Traffic between LAN <-> OPT1 is subject to firewall rules for both interfaces. For example, if LAN allows ping to any destination, but OPT1 blocks pings from all sources, hosts on LAN should not be able to ping hosts on OPT.
Behavior: Traffic coming into the OPT1 interface from LAN net gets evaluated against LAN's firewall rules, but it does not get evaluated against OPT1s firewall rules. In other words, LAN net hosts can ping OPT1 hosts even though OPT1 blocks all ICMP traffic.

Question 1: Is what I'm observing the expected behavior?
Question 2: I found this post (https://forum.pfsense.org/index.php?topic=39826.0) where the author states "I just read that normally all traffic from opt1 to lan is blocked." Is all traffic between OPT1 < -> LAN normally blocked?
Question 3: It's simple enough to put a rule on LAN that blocks all traffic destined for OPT1 net (and vise versa), but maybe someone can explain to me the reason why traffic from LAN to OPT1 doesn't obey the firewall rules on OPT1.
Question 4: Is there just a checkbox somewhere that I missed that enables/disables this behavior?

Thanks in advance!
Mike


Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9220
  • Karma: +1048/-308
    • View Profile
Re: Understanding Firewall Between LAN and OPT1
« Reply #1 on: December 03, 2017, 02:54:47 am »
pfSense interface rules process traffic inbound on that interface. That is the expected behavior. Once the traffic is allowed in, it is allowed out the destination interface.

If you wish to have rules that act on traffic going out an interface, you need to use a floating rule.

https://doc.pfsense.org/index.php/Firewall_Rule_Basics

https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline msalvatore

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Understanding Firewall Between LAN and OPT1
« Reply #2 on: December 03, 2017, 01:46:39 pm »
Thanks! I think the gap in my knowledge was that "incoming" means "from outside the router". So once traffic enters the router, it can exit through any interface. I guess I was confused because traffic from LAN -> OPT1 is incoming from the perspective of the OPT1 network, but not from the perspective of the firewall.

I'll play around a bit with the floating rules when I get a few minutes.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9220
  • Karma: +1048/-308
    • View Profile
Re: Understanding Firewall Between LAN and OPT1
« Reply #3 on: December 03, 2017, 02:05:47 pm »
Why? Most people do not need floating rules.

If you don't want traffic to go from LAN to OPT1, block it on LAN dest OPT1 network.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM