Rules with destination interface
It would be nice if we can make rules between interfaces and/or interface groups directly.
Currently, if an internal network should access internet without accessing another internal network, we have to make two rule :
. deny <LAN1> -> <LAN2>
. permit <LAN1> -> <ANY>
Whereas if each interface is put in a dedicated interface group :
. permit <int-group_lan1> -> <int-group_internet>
This can simplify a lot the rules and avoid some potential unwanted traffic.
Currently no other distro seems to support this (no support for interface group either), I think it can be a major feature for PfSense.
Updated by Jim Pingle almost 10 years ago
The way pf works you can't put rules on the WANs in the outbound direction that match local IPs as the source. This is because on WAN the NAT has happened by the time the rules are reached. There isn't really a way around that, so the type of syntax you're proposing wouldn't be possible except in a pure-routing scenario that had no NAT involved, and that can be covered in floating rules.