Pfsense rules confusion

I’ve watched your videos on rules and read Netgate’s help on rules, however, I’m still confused over SOURCE and DESTINATION. On Netgate they say rules are inbound, does that only referrer to the SOURCE and the DESTINATION being outbound which makes sense to me.

SOURCE = inbound TO that interface and
DESTINATION = outbound FROM that interface - is this correct ??

Also, If this is so, why put the SOURCE to the same as the interface net ?


Source is where the network is coming from, destination is where you want it to land in the firewall.

Thanks Tom,
Ok, When you say destination is where you want it land in the firewall, if I set in the LAN interface destination to say LAN2 that would also work ? or is it interface specific ?

Yes, that is how you can make rules to go between the networks.

Sorry to be a pain, so this is valid and would allow traffic from VLAN10 to guestnetwork and allow LAN2 to also see that traffic.

Incidentally, thank you for taking time to make the videos and inspiring people.

That would allow traffic to route from VLAN10 to guestnetwork.

Hmm, ok so LAN2 would have no other roll in that other than than allow LAN2 to guestwork

in that screen shot I don’t see any other LAN2 rules.

I think I understand more now, This is probably the most confusing aspect about PFsense for people starting out.

Thanks again for your time - I’ll have another play on my Oracle VM - which is causing me a lot of confusion !

Another weird problem I have a rule from LAN2 to WAN thus but it’s still blocked

I recommenced you watch this video and I have it linked to start where I explain the firewall rules.

Thanks Tom,
I think I’m getting it now, Enable everything everywhere then block where you don’t want the interface to go. Obviously what I’m doing doesn’t work

I got it work as expected now however, I can’t block the internet (WAN) from an interface

Are you trying to block internet access on an interface?

As mentioned in the official documentation, the WAN net in the firewall rule isn’t referring to “the internet”:

WAN net - Please note this is not the internet, this is just the network wan is connected to, just like lan, or opt net aliases above. If your ISP puts you on a x.x.x/21 network, or a /29 or a /24 that is the network this refers too… Not the whole internet.

So you can neither allow nor block access to the internet using WAN net as a destination (which is why your above rule did not work). If you don’t want devices to be able to access the internet via a certain interface, simply don’t add any rule that allows such traffic to pass (e.g. don’t use any rule that allows traffic to any destination).

This works because you need to specifically allow traffic to pass since PfSense blocks any traffic on an interface by default.

Thanks Cetteup,

That makes a lot of sense to me and explains a lot of issues I’ve come across. I think my understanding of rules is entirely the other way up if you see what mean. I see rules as all the traffic coming in from above each interface then blocked or allowed sources by the rules. I go and have a play with my renewed knowledge and see If I can repeated get it work as I expect.

I’m using OracleVM with PFsense and two other VM’s running Puppy Linux for testing, the two Puppies are on a internal network within Oracle and that in turn is LAN and LAN2 in Pfsense with the WAN DHCP’d from my router - All on my laptop wifi to router.

This is how I viewed rules

But I think they work more like this ???