Existential question about To all destination and it's behavior

Hi all!

This thing has been puzzling me for days.

  • I got a vm running on a vlan.
  • Vlan 10.0.11.0 Outbound is set to a VPN ADDRESS (manual mode)

What I’m trying (not to achieve) but to understand is.

Please let’s take a look at this screenshot to get where I dug into.

As you can see this looks the dumbest firewall ruleset on earth. But now here’s what I don’t understand.

  • At this moment, as of this screenshot. The vm on 10.0.11.3 gets no internet. Yippee

  • If I allow 10.0.11.3 to all (latest 10.0.11.3 rule) why does the vm gets Internet if ALL the inlcuded destinations (listed on top) gets a BLOCK policy?

  • The other intervlan/lan rules are working as they should

What does the to all destination includes that I cannot select within the drop down list?

Alternatively. The opposite is also true It seems I cannot get internet to a network if no allow all is involved in the chain.

I might be skipping a well known thing that I should know but my first reflex is to think:
what in the world is hidden into the ‘to all’ destination

Thanks for any thoughts

Rules are processed top to bottom,

Yes, you are blocking internet access with the top rules but you are allowing internet access with the last rule.

PFsense will process all the rules, it does not stop if it actions one of the rules.

Change the last rule to include 10.0.11.3 as the source and tick ‘invert match’ , this means it will process this rule except when the source is 10.0.11.3

Instead of creating all the block rules separately, create an alias (Firewall - Aliases) and create one rule using the aliases as the destination.

Thanks for your answer Paul.
You are right, rules are processed top to bottom:

  • First matching rule with A to B behavior will be applied
  • Second mathing rule with A to B behavior will be ignored since the match has already been applied on a preceding rule.

This order will let traffic go

Action Source Destination
Allow 10.0.11.3 ALL
Block 10.0.11.3 ALL

This Order will block traffic

Action Source Destination
Block 10.0.11.3 ALL
Allow 10.0.11.3 ALL

Here I made the opposite example from the first post even without any Deny rules:


This Rule set… will not allow any internet inside the VM.

So I’m back to the question
What is the difference between:

  • Allow interface A to B, C, D, E etc.
    and
  • Allow interface A to All.

Thanks