1
General Discussion / What is the logic in allowing LAN interfaces to communicate by default?
« on: December 16, 2015, 09:54:32 pm »
Hi all,
I've been pulling my hair out with pfsense and seemingly now opnsense and im struggling to understand the logic that's got me so frustrated.
I have a wan interface and at present, 4 LAN interfaces on different subnets. By default, traffic passes across the LAN interfaces and I cant seem to firewall this in a way that makes sense (at least to me anyway).
Maybe I'm just doing it all wrong but in my mind, it makes sense that no traffic should be allowed to travel across different interfaces without having been explicitly allowed.
Again, perhaps I simply misunderstand but from what I can ascertain, there are a few ways in which to resolve the issue. Firstly, a floating rule can stop the traffic but this makes management of the interface rules unintuative. I expect to be able to see the definitive ruleset for an interface on it's own tab. Using a floating rule means I have to put each and every exception as a floating rule too.
I gather I can also achieve the desired result by using the interface rules to restrict the traffic going out of the interface to any other interface, this is also not desirable as if a new interface is added, I potentially need add additional rules to each of the existing interfaces. Perhaps not so much of an issue with just 4 interfaces, but later down the line when there are 40 interfaces, this will be error prone.
In my own mind this seems such a simple thing to want to achieve so I can only think I am approaching it the wrong way and that there are valid reasons for allowing traffic across interfaces by default so I'd be grateful if someone can explain why it works this way.
I've been pulling my hair out with pfsense and seemingly now opnsense and im struggling to understand the logic that's got me so frustrated.
I have a wan interface and at present, 4 LAN interfaces on different subnets. By default, traffic passes across the LAN interfaces and I cant seem to firewall this in a way that makes sense (at least to me anyway).
Maybe I'm just doing it all wrong but in my mind, it makes sense that no traffic should be allowed to travel across different interfaces without having been explicitly allowed.
Again, perhaps I simply misunderstand but from what I can ascertain, there are a few ways in which to resolve the issue. Firstly, a floating rule can stop the traffic but this makes management of the interface rules unintuative. I expect to be able to see the definitive ruleset for an interface on it's own tab. Using a floating rule means I have to put each and every exception as a floating rule too.
I gather I can also achieve the desired result by using the interface rules to restrict the traffic going out of the interface to any other interface, this is also not desirable as if a new interface is added, I potentially need add additional rules to each of the existing interfaces. Perhaps not so much of an issue with just 4 interfaces, but later down the line when there are 40 interfaces, this will be error prone.
In my own mind this seems such a simple thing to want to achieve so I can only think I am approaching it the wrong way and that there are valid reasons for allowing traffic across interfaces by default so I'd be grateful if someone can explain why it works this way.