Feature #2235


Rules with destination interface

Added by David RAMEY almost 10 years ago. Updated almost 10 years ago.

Rules / NAT
Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:


It would be nice if we can make rules between interfaces and/or interface groups directly.

Currently, if an internal network should access internet without accessing another internal network, we have to make two rule :
. deny <LAN1> -> <LAN2>
. permit <LAN1> -> <ANY>

Whereas if each interface is put in a dedicated interface group :
. permit <int-group_lan1> -> <int-group_internet>

This can simplify a lot the rules and avoid some potential unwanted traffic.

Currently no other distro seems to support this (no support for interface group either), I think it can be a major feature for PfSense.

Actions #1

Updated by Chris Buechler almost 10 years ago

  • Status changed from New to Closed

you can easily do that with floating rules.

Actions #2

Updated by David RAMEY almost 10 years ago

This does not work as expected unfortunately.

I put a rule on external interface (permit lan -> any), but traffic is blocked by default deny on internal interface.

This does not simplify rules as expected.

Actions #3

Updated by Jim Pingle almost 10 years ago

The way pf works you can't put rules on the WANs in the outbound direction that match local IPs as the source. This is because on WAN the NAT has happened by the time the rules are reached. There isn't really a way around that, so the type of syntax you're proposing wouldn't be possible except in a pure-routing scenario that had no NAT involved, and that can be covered in floating rules.

Actions #4

Updated by Erik Fonnesbeck almost 10 years ago

Tags can be used for firewall rules to match only traffic handled by a certain NAT rule, right? Any reason this hasn't made it into any of the NAT rule pages so far?


Also available in: Atom PDF