pfSense Deny-All / Allow-All Confusion

I need some help getting my mind around the methodology of rules in pfSense.

Most basic tutorials show adding the LAN rule of LAN net * * * * , this is even the default out of the box.

My issue is this sets up a deny-by exception enviroment instead of allow-by exception. If I add a guest LAN now I have to define blocks to prevent cross talk. Setup more than 2 lans and now I would spend more time trying to put in all the deny rules.

I’m familiar with FortiGate where you simply define a LAN to WAN rule and it only allows… LAN to WAN.

Someone please tell me I’m missing something simple.

1 Like

Add a guest lan, then only allow traffic out the default gateway (under more advanced) instead of allowing it to use the routing table.

:thinking: Could this be used on the LAN for internet access? Otherwise with the default LAN to *** rule my LAN could access into the Guest. I would have to block access in to the guest and start down the rabbit hole of deny-by exception rules.

Default rule in pfSense is to deny.

The rule you see on the LAN is a rule to overwrite the default deny all. If you disable/delete(*) that rule then everything will stop. You could then add rules that are more specific. I guess more people expect LAN traffic to be allowed out on anything by default than for no traffic to be allowed so that’s how they set it. Think about the support burden if your default rules did not work “like my other router used to” (which was the ISP router that allowed all).

If you look at the WAN you will see no rules, everything is denied.

(* check that the default anti lockout rule is there first)

At first playing with pfSense I was totally confused by the rules, I found it helpful to basically delete everything and build up the rules manually, bit by bit I could understand what was happening on my network. It’s definitely slower but gives me some kinda confidence that I have an, at least, somewhat, secure network.

Alternatively you could setup an alias for your subnets and then define one rule per interface to block communication to the alias. This should prevent your subnets from talking to each other while still allowing your default allow rules to pass traffic across to a WAN interface. This approach still allows you to create rules to poke holes between subnets say if you have a resource on your LAN that you would like your guests to have access to, where as I don’t think you would be able to accomplish this if you Only allow traffic out the default gateway.

I would definitely test that out before applying in production to make sure it works how you would want it to, though.

I just received my Netgate router, and preparing to setup isolated LAN networks, and this is exactly my thought as well.

Correct, but you didn’t say what allow-rule(s) “that are more specific” would accomplish LAN1-4 to have access to internet without access to each other. I tried disabling the allow LAN to any rule and adding a LAN to WAN rule, but this doesnt allow traffic to go outside via WAN (since apparantly the WAN destination is still internal). My current best bet is to define allow rule: LAN to !(not) 192.168.0.0/16. But this still doesnt allow traffic to go outside in my setup, perhaps because I have an upstream router from my ISP with gateway in the 192.168.0.0/16 range. I will change its gateway subnet (e.g. to 10.0.xxx) or try to get rid of that router alltogether.