As we mentioned previously in this chapter, pfSense creates two default Allow LAN to any rules that provide outbound access for the LAN interface. If we subsequently create other subnets or interfaces, however, we must create our own Allow rules for these interfaces. We can make life easier, though, by creating a floating Allow rule that works on multiple interfaces. Here, we will show you how.
Once you navigate to Firewall | Rules, click on the Floating tab. On that tab, click on one of the Add buttons. When the page loads, keep the Action at the default of Pass. In the Interface list box, select all the interfaces for which you want this rule to apply (usually it would be all non-WAN interfaces). For Address Family, select IPv4+IPv6. For the Protocol, select any. The Source and Destination can be kept as their default values of any. Enter a brief description in the Description edit box, and click on the Save button. As with the other rule, make sure that the rules are in the correct order. If any rules are moved, click on the Save button and then click on the Apply Changes button.
Since eliminating redundant rules is part of the firewall rules best practices, you should next go back to the LAN tab and disable the two Allow LAN to any rules. Before that, you should make sure the Anti-Lockout Rule is enabled (this setting can be found at System | Advanced on the Admin Access tab). Otherwise, if the floating rule wasn't set up correctly, you could end up being locked out of pfSense. Once the rule takes effect, users of all interfaces should have outbound access if the per-subnet/per-interface rules do not prevent such access. One test you can do to confirm that floating rules take effect last by default is to try to access appleinsider.com with the Quick option for this rule disabled (access should be blocked), and then try to access it with the Quick option enabled (access should be allowed, because now our floating Allow rule takes precedence).