@kmp said in Default deny rule IPV4(1000000103):
For LAN interfaces, as I understand it, there is no default drop rule,
The default behavior of pf, the firewall used by pfSEnse, is drop.
Try it out for yourself : remove all rules from LAN and see what happens.
There is one exception : if you have the DHCP server activated on an interface, pfSense will ad pass rules for port 67(68) UDP on that interface.
@kmp said in Default deny rule IPV4(1000000103):
the default is pass as initially
When installing pfSense, there will be a PASS ALL on the LAN, and only the LAN. If you assigned other (OPTx) interface during installation, all these interface will not allow incoming traffic. You have to add rules for all these interface yourself in the GUI.
Btw : because the WAN doesn't have any rules listed in the beginning, the WAN doesn't let any traffic in. This is what most users want.
@kmp said in Default deny rule IPV4(1000000103):
I will say that I screwed things up by initially setting up an inbound NAT with "PASS";
When you add a NAT rule, to things happen :
An address (and port) translation rule is inserted. This rule is listed under Firewall > NAT > Port Forward
When done, have a look at your WAN firewall rule : there is also a new firewall rule now.
This is, of course, a PASS rule.
At the bottom, you'll see
a2a63be9-1c3c-41a6-8f25-787f52ea61fb-image.png
I would be best not to edit this rule, as it is maintained by the NAT rue listed under Firewall > NAT > Port Forward
@larryjb said in Default deny rule IPV4(1000000103):
Suddenly I had to change it to 192.168.1.1
Ok, nice, but do you mind what the 'suddenly' is about ,
It was written on the wall and you followed the advise ?
@larryjb said in Default deny rule IPV4(1000000103):
and I cannot get an internet connection unless I have it set to .1.
You can set any IP on your LAN as long as the LAN network is not the WAN network.
Golden rule number one : just keep the default 192.168.1.1/24 on LAN, connect the WAN to your upstream device or cable, and you'll be fine.
In the past, we all some modem type device, so the WAN interface obtained a 'real' Internet WAN IP (non RFC1918).
This changed the last decade or so, most use now a (modem)+router (so it can integrate VOIP functionality, VOD, and an Wifi access point). These ISP devices 'boxes' have often a switch integrated, and offer an RFC1918 LAN network, and because these devices do "NAT", you get a free firewall. This LAN network can be used with all your home devices. really nice, as now grandma can now set up here own home network without knowing nothing.
If this ISP device uses also 192.168.1.1/24, then you have a choice to make : change the ISP box default LAN network 192.168.1.1/24 to something else, like 192.168.2.1/24, or change the pfSense defayult LAN to something else, like, 192.168.10.1/24 (Ok to pick 192.168.10.15/24 but then I really have to ask you : why ????). Some like 192.68.10.254/24
My way of seeing things : because my ISP box is connected to nothing but pfSense, I change the ISP Box default network from 192.168.1.1/24 to 192.168.100.1/24 - the pfSense WAN IP becomes something like 192.168.100.x where x is something between 2 and 254, using the default DHCP client on it's WAN.
I've shut down the crappy Wifi of the ISP box, as I've my own dedicated APs, all behind pfSense LANs.
Btw :
75d96281-63e3-4082-9d1d-f44d701457e6-image.png
you don't need these.
Keep the KIS process up and running : enter less info, simplify maintenance and possible issues :
5857ea7c-7a79-4233-bb2b-3c7c77fd512d-image.png
and now you can access "the world".
I had zero DNS issues for the last 15 years of pfSense usage.