@QuantumParadox said in can't disable web config or web GUI to WAN:

I can't seem to disable the web GUI for the WAN ... 25.03.b.20250429.1329 ...

The default firewall behavior, for every interface is (roll the drums) is .... (wait for it) : it block everything.
For this very reason, when you install pfSense, you find this on the LAN interface :

b5a74258-2177-483d-80ea-953e9411aed3-image.png

Not rules 1 and 2, I've added them myself.
Rule 3 and 4 have to be there, otherwise you wouldn't be able to access your pfSense using the Ethernet, using the LAN NIC.

The issue with the WAN interface is .... the admin, better known as : you.
Let's compare pfSense with your own house.
Some one, a stranger, or even you, without your keys, can not enter the front door : it's locked.
While you are at home, you decided to test the front door : is it locked ? To do this test, you opened the front door from the inside (remember : you are at home) and then you say : "hey, it's open !"

Back to pfSense : you are probably connected with a device on the pfSense LAN, default LAN firewall rule let the traffic flow into the LAN, and you used as a destination IP the WAN interface.
That's like accessing the WAN interface from the inside. Traffic actually never leaves that pfSense WAN interface, to be echoed back to the WAN by magic by some other device behind the NAT (some ISP equipment for example).

@QuantumParadox said in can't disable web config or web GUI to WAN:

I did create rules to block 443 and 80

No need.
My WAN rules :

df83d4b9-c7b1-43fc-8d77-8682a1cc0cfa-image.png

Normally, when you install pfSense, there are no rules on the WAN firewall.
This means nothing can enter.
I've surfaced this behavior by adding the last two block (red cross) rules.
The six rules I have before these two block rules are there for me, so I can access my NAS (on my pfSense LAN) and VPN (on pfSense).
The VPN can be accessed from any IP address = from everywhere.
My NAS can only be accessed by the device Ips I've listed in the alias called "SYS", and no one else.
I do accept ping (IPv4 and IPv6) on my WAN because "why not ^^".

Go get some sleep, all is well ^^

@QuantumParadox said in can't disable web config or web GUI to WAN:

asking AI for help

Euh ....
That only works if you ask good questions.
Like this : what is the default FreeBSD firewall pf behavior ?

and you see the good answer right away.
Not only valid for pfSense but every firewall.

@QuantumParadox said in can't disable web config or web GUI to WAN:

Go to System > Advanced > Admin Access.
Fnd the setting for WebGUI Listen Interfaces (it may not be visible in your provided list, but it should be there).
Select LAN or another internal interface only—do not select WAN. and apply the settings the issue is I don't have any of those settings.

I wished that was really the case, but my 24.11 - actually 25.03 beta 4 right now, doesn't have that option.
There is no setting over there that controls on what interface the pfSense web GUI is listing.
The reality is that the pfSense web interface listens to all system known interfaces, this includes also the localhost (127.0.0.1) and interfaces like WAN.
Your pfSense doesn't' contain any AI, but it still give you the answer :

[25.03-BETA][root@pfSense.bhf.tld]/root: sockstat -4 | grep 'nginx' root nginx 29461 5 tcp4 *:443 *:* root nginx 29461 7 tcp4 *:80 *:* root nginx 29017 5 tcp4 *:443 *:* root nginx 29017 7 tcp4 *:80 *:*

You see the * : * ? That means : every interface. And that includes WAN, which is, imho, somewhat scary.
So, every interface, using tcp4 or IPv4, on both port 80 (http) and port 443 (https).
Two instances because :
cc723b58-8d4d-4753-9713-08b643b0ced8-image.png

@katakuri said in Firewall Rules and the Gateway:

But when traffic has to go through the gateway, such as traffic going to the internet, the destination for the traffic will be the actual target, not the gateway itself, right? Traffic destined for outside the subnet is sent to the gateway but for the firewall the actual target is the remote address?

Yes.

Firewall rules in pfSense work at layer 3. Each IP packet includes the source and the destination address in its header. These are evaluated by pfSense for filtering the traffic.

The gateway, however, is a case of layer 2. A packet can be sent to the gateway (per hardware address) even the destination address is something different.

@bmeeks got it, thank you

@katakuri said in Firewall Rules Order:

But a floating rule could veto an outbound packet on the WAN interface that was passed from a LAN rule?

Yes. But, as a beginner, you should not consider any floating rules anyways. Even if you are not a beginner, you would not use them unless you absolutely have to. 99.9% off all rules have the direction "in" and therefor can be created anywhere else.

@johnpoz You nailed it. ntopng is installed!

@pfsense57352 I am new to pfsense and It might seem a bit overkill to install Home Assistant just to monitor pfsense, but the built in integration is really nice and I don't know your use case.

It even has an addon that runs locally called Uptime Kuma (basically an uptimerobot alternative).

The ha pfsense addon has a lot of sensors... just fyi here is a home assistant page where I get info from pfsense:

pfsenseha.jpg

@Gertjan
Thanks, friend.

I thought that Pfsense, like Fortigate and Palo Alto, was capable of creating rules based on users, so how can I do this mac and dhcp connection?

@cosmos-tong thanks but no thanks.

idiom. used to say that you are grateful to someone for offering something but that you do not want to accept the offer; sometimes used humorously when you are not really grateful:

@patient0 Ugh, this is embarrassing /:()

@johnpoz Thank you for your answer.

First of all I saw that documentation page. It says "A safe assumption is approximately 1K of memory per entry to be conservative." so I assumed that I could use that number.

I love pfsense (I have four Netgate devices), but there are some issues with it, and this is one of them. It would have been nice to have this information in the GUI, or perhaps auto-adjusted limits.

Adding 200 000 more to the limit fixed my problem.

@louis2
What rule ?
What interface ?
What log settings ?

edit :

74e1219f-ef00-4b06-b483-bd3abd2613a8-image.png

and things will calm down.

@louis2 https://docs.netgate.com/pfsense/en/latest/firewall/configure.html#ip-options

@Gertjan
Done thanks. 👍

I just checked, you are correct. First action on PRI5 is block and second action on Europe is match =)

@patient0 ok thanks

@helis821 forgot to say - also doesn't work with windows firewall disabled

@CreationGuy said in Allow only outbound connections to one ext. IP and port:

edit: although, I do like to see the external attempts on getting into the router...

Wrong ... 😊
That would be like looking in the barrel of a gun to see if a cartridge (bullet) is loaded.
Not the best way of checking things.

Every blocked packet will match the default block rule .... that's ok, and can be done rather quickly, but if every blocked packet also needs to be written out in a file - the firewall log, then every blocked packet will use loads of CPU cycles.
If 'they' know that you are doing that, they will ramp up the traffic quickly - this is what DOS is, your log file will fill up very quickly, your pfSense will get hot and goto "100 % CPU usage" , and if a log file rotating goes wrong your disk start to fill up => bommmmm assured.
Is your disk an emmc (see other forum threads) ? Your disk will be dead in the near future => another boomm.

Apply the good old rule : keep a low profile and nobody will knock on your WAN door.
After all, your WAN interface is probably constantly probed for possible allowed in-going connections. You can't stop ** that. It's part of the Internet. See it as the back ground noise.
It's like living in a huge building with many front doors : kids are constantly pulling your door bell. Up to you to stay alert behind the door to see who is ringing ....

Even worse : if you get DOSsed, there is only one thing you can do : call your ISP and make "them" (the dossers) stop. They'll tell you they can't ... but they can pull the plug for you - or you pull the plug yourself = remove the WAN cable for a moment.
Or wait it out you doing nothing, pfSense can handle it : black-holing traffic is easy, you are after all limited to the bandwidth you have.

Actually, you can : put a firewall in front of your firewall.

So, ok to have a look at what happens at the WAN gate ones in a while, just don't forget to stop logging when your done.

edit : If your pfSense is behind a (CG)NAT or your ISP router : you won't see anything on WAN, as the upstream firewall / router / NAT device already took the bullet for you.