@ricklinux So, the bypass is for SAME interface only, which is anyway what you want when using pfSense as a home router.
To give some more context: 99% of the time you don’t need any of this because there’s the router with the WAN (public) IP on one side and a single subnet on the other (LAN) side. The router filters all traffic going through it, but on the LAN side everything is on the same subnet talking to each other directly (so they bypass the router).
Now in my case, I have this subnet for Proxmox and even that is a special case: 99% of people doing that will use bridged mode in Proxmox and thus still have ONE subnet (the VMs share the host NIC and the same subnet). However, bridged mode does not work well with WLAN and in my home the desktop is in an area without wired connectivity so I am forced to use routed mode.
Now, once you end up with TWO internal subnets (for whatever reason) routing between them becomes a thing. By default pfSense would STILL work if everyone routed properly, going via pfSense only to talk to external (Internet) hosts, but what happens here is:
-
I have a DHCP setting (option 121) that tells DHCP clients in subnet 192.168.9.0/24 that they do NOT need to go via pfSense (192.168.9.254) to talk to hosts on the 192.168.42.0/24 subnet, and that they should instead go to 192.168.9.10 (the proxmox host) which can relay to that subnet.
-
Almost all my hosts (laptop, NAS, etc) in 192.168.9.0 understand this so when they talk to DHCP server they add a static route for it.
-
Normally if host A in the main subnet wanted to talk to host B which is a VM, the conversation would be direct via proxmox host X. The route is A → X → B → X → A (A sends via X and B replies via X).
-
The Brother printer P, unfortunately does NOT understand option 121. Therefore the printer P does NOT know that it can simply reply directly via proxmox host X and uses the default gateway which is the pfSense host F (which has firewall rules). So conversation between B and P is like: B → X → P → F (!) → X → B. Notice here that the printer does not go directly to X but the default gateway F which knows to relay via X, but then applies its rules…
Now you can set rules to tell pfsense “don’t worry about filtering traffic between 192.168.9.0/24 and 192.168.42.0/24 because they are both internal subnets, so I trust them both”. You need to let it know it can treat all hosts on both subnets as if they were one internal subnet with stuff you own and want to talk to each other unhindered. But you need to explicitly state that as pfSense doesn’t know this for a fact, and t would be insecure to assume that.
You normally WANT to bypass the firewall in this case and the easy way to do it is to tick that box in pfsense that reads “Bypass firewall rules for traffic on the same interface”. Basically what this tells pfSense is “look, I’m not a corp with a complicated intranet, so I don’t want to bother with explicit rules: you have 2 interfaces WAN and LAN, treat all traffic that does not cross one side to another as OK to pass”.
Therefore if something comes from the LAN (in this case the Brother printer’s response) and moves on to the LAN (in this case the Proxmox host) don’t apply any filtering.
Just putting this here to make it clear it’s OK to do this if you’re just a home setup with a couple of subnets (instead of one).
And once again, I would remind that if EVERYTHING at home was on one subnet (192.168.9.0/24) which is the case for 99.9% of people, then even this would not be needed. The only reason I came across it was the fact that my Proxmox has to talk via WLAN and therefore has to work in routed (two separate subnets) instead of bridged (same subnet as the host for VMs) mode, AND the silly printer does not understand DHCP option 121 so does not have a direct static route to the VMs bypassing pfsense…