As you can see this looks the dumbest firewall ruleset on earth. But now here’s what I don’t understand.
At this moment, as of this screenshot. The vm on 10.0.11.3 gets no internet. Yippee
If I allow 10.0.11.3 to all (latest 10.0.11.3 rule) why does the vm gets Internet if ALL the inlcuded destinations (listed on top) gets a BLOCK policy?
The other intervlan/lan rules are working as they should
What does the to all destination includes that I cannot select within the drop down list?
Alternatively. The opposite is also true It seems I cannot get internet to a network if no allow all is involved in the chain.
I might be skipping a well known thing that I should know but my first reflex is to think: what in the world is hidden into the ‘to all’ destination
Yes, you are blocking internet access with the top rules but you are allowing internet access with the last rule.
PFsense will process all the rules, it does not stop if it actions one of the rules.
Change the last rule to include 10.0.11.3 as the source and tick ‘invert match’ , this means it will process this rule except when the source is 10.0.11.3
Instead of creating all the block rules separately, create an alias (Firewall - Aliases) and create one rule using the aliases as the destination.