Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WAN Rules

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 4 Posters 789 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MagikMark
      last edited by

      Do you think this may be considered as a good practice under WAN Interface:

      pfSense WAN.jpg

      1. Hijacks DNS and NTP queries and make sure it goes through pfsense and Adguard
      2. Prevents ISP from accessing my home network
      johnpozJ J 2 Replies Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @MagikMark
        last edited by

        @magikmark no those rules are not good on wan rules, what exactly do you think that would be hijacking?

        Why would you all access to pfsense from the WAN? So like any bot or script kiddie, whatever can hit pfsense on any port - that you only have 1 kb hit on that? Is pfsense behind a nat router?

        Not sure where you got the idea allow internet access anything would go on the WAN interface?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        M 1 Reply Last reply Reply Quote 0
        • M
          MagikMark @johnpoz
          last edited by

          @johnpoz

          1. I just forward all DNS & NTP queries to my Adguard / Next DNS for filtering

          What would be a good rule for WAN then?

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @MagikMark
            last edited by johnpoz

            @magikmark The default.. The only reason you should be putting rules on the "WAN" is if you want to allow access to something, via say a port forward.

            If you want to intercept dns and ntp - those would go on a LAN side interface..

            WAN is internet facing - normally! Is pfsense behind another router and you have devices on this other network? Ie pfsense "wan" ??

            If that is the case you need to explain that - those rules make no sense for a typical setup where pfsense wan is the internet.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • J
              Jarhead @MagikMark
              last edited by

              @magikmark said in WAN Rules:

              Do you think this may be considered as a good practice under WAN Interface:

              pfSense WAN.jpg

              1. Hijacks DNS and NTP queries and make sure it goes through pfsense and Adguard
              2. Prevents ISP from accessing my home network

              The only thing I can think here is you're thinking backwards.
              Rules on the WAN would only apply to devices on the WAN, namely, the internet.
              Why you want anything on the internet to use your pfSense for DNS and NTP queries?? Did you mean everything on your LAN maybe? If so, those rules would go on the LAN interface as already said.
              Rules are applied to the directly connected network of that interface. So WAN rules only effect WAN devices, LAN rules only effect LAN devices etc.
              Delete all WAN rules and leave it that way is the best practice. If you need to access something on your LAN from the internet, use a VPN.

              1 Reply Last reply Reply Quote 0
              • M
                MagikMark
                last edited by

                Thanks for the reminder guys I was just conducting an experiment on how my ISP would respond. So far it doesn't make any differnece

                R 1 Reply Last reply Reply Quote 0
                • R
                  rcoleman-netgate Netgate @MagikMark
                  last edited by

                  @magikmark it shouldn't as those have to all originate from OUTSIDE your network, not inside.

                  Ryan
                  Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                  Requesting firmware for your Netgate device? https://go.netgate.com
                  Switching: Mikrotik, Netgear, Extreme
                  Wireless: Aruba, Ubiquiti

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.