pfSense Deny-All / Allow-All Confusion

I need some help getting my mind around the methodology of rules in pfSense.

Most basic tutorials show adding the LAN rule of LAN net * * * * , this is even the default out of the box.

My issue is this sets up a deny-by exception enviroment instead of allow-by exception. If I add a guest LAN now I have to define blocks to prevent cross talk. Setup more than 2 lans and now I would spend more time trying to put in all the deny rules.

I’m familiar with FortiGate where you simply define a LAN to WAN rule and it only allows… LAN to WAN.

Someone please tell me I’m missing something simple.

1 Like

Add a guest lan, then only allow traffic out the default gateway (under more advanced) instead of allowing it to use the routing table.

:thinking: Could this be used on the LAN for internet access? Otherwise with the default LAN to *** rule my LAN could access into the Guest. I would have to block access in to the guest and start down the rabbit hole of deny-by exception rules.

Default rule in pfSense is to deny.

The rule you see on the LAN is a rule to overwrite the default deny all. If you disable/delete(*) that rule then everything will stop. You could then add rules that are more specific. I guess more people expect LAN traffic to be allowed out on anything by default than for no traffic to be allowed so that’s how they set it. Think about the support burden if your default rules did not work “like my other router used to” (which was the ISP router that allowed all).

If you look at the WAN you will see no rules, everything is denied.

(* check that the default anti lockout rule is there first)

At first playing with pfSense I was totally confused by the rules, I found it helpful to basically delete everything and build up the rules manually, bit by bit I could understand what was happening on my network. It’s definitely slower but gives me some kinda confidence that I have an, at least, somewhat, secure network.

Alternatively you could setup an alias for your subnets and then define one rule per interface to block communication to the alias. This should prevent your subnets from talking to each other while still allowing your default allow rules to pass traffic across to a WAN interface. This approach still allows you to create rules to poke holes between subnets say if you have a resource on your LAN that you would like your guests to have access to, where as I don’t think you would be able to accomplish this if you Only allow traffic out the default gateway.

I would definitely test that out before applying in production to make sure it works how you would want it to, though.

I just received my Netgate router, and preparing to setup isolated LAN networks, and this is exactly my thought as well.

Correct, but you didn’t say what allow-rule(s) “that are more specific” would accomplish LAN1-4 to have access to internet without access to each other. I tried disabling the allow LAN to any rule and adding a LAN to WAN rule, but this doesnt allow traffic to go outside via WAN (since apparantly the WAN destination is still internal). My current best bet is to define allow rule: LAN to !(not) But this still doesnt allow traffic to go outside in my setup, perhaps because I have an upstream router from my ISP with gateway in the range. I will change its gateway subnet (e.g. to or try to get rid of that router alltogether.

Ok, I have tried really hard to wrap my brain around how pfsense is doing all this and I think i’m close:

Rules are applied to outbound traffic, great. so Inbound is open from other networks, not great.

I’ve read through documentation and watched the training videos. They all say the best policy is Allow by exception, but then the default rules are Allow all. Even the examples are to Deny by exception before Allow all. Basically setup your rules and at the end let everything through

You can see there is a Deny rule, followed by Allow any. :roll_eyes: Allow to Any includes other LANs!

So here is the best I could come up with to make it an almost Allow by exception rule set:

Allow LAN to LAN, need DNS and DHCP.
Allow LAN to !Private IPs <~~ yea it’s deny by exception but hey, it’s an allow rule.

On a DMZ or other isolated network I would tighten down the LAN to LAN but here it’s ok.

This has honestly driven me nuts this week! If it helps anyone out there, great. If not, oh well.