Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT vs open port on WAN for VPN on pfsense

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 2 Posters 935 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      efny
      last edited by

      This post is deleted!
      E 1 Reply Last reply Reply Quote 0
      • E
        efny @efny
        last edited by

        @efny

        I realized I was misusing terminology, so I rewrote the post to be clearer. If a mod wants to delete my original post I can just repost the topic.

        Thanks

        Let's suppose I have a VPN service running on the Pfsense box itself. As far as IDS/IPS analysis goes, is there a fundamental difference between opening a WAN port for the service and forward the port to the router IP?

        I have Snort running on both WAN and LAN, and get a lot of alerts for things that are blocked and ports scans etc. I was thinking I wanted to limit to just running Snort on LAN, but I worry that I will miss an opportunity to catch potentially malicious inbound traffic that is directed at the open ports. For services that run on my virtualization servers that get port forwarded connections, I get Snort alerts on the LAN side and was wondering whether this would occur if I forward the ports for services running on Pfsense or will the router treat port forwarding to itself identically to just opening a WAN port?

        Thanks in advance.

        S 1 Reply Last reply Reply Quote 0
        • S
          SteveITS Galactic Empire @efny
          last edited by

          @efny general advice is to run Snort on LAN. On WAN it runs outside the firewall so will scan all inbound packets even if they will be dropped.

          pfSense can NAT to its LAN IP. On WAN one would just allow the connection.

          If you’re asking whether a NAT rule to itself it subject to Snort I suspect not since Snort runs outside the firewall.

          What are you exposing on pfSense, the VPN? Can it be limited by source IP or dyndns hostname?

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          E 1 Reply Last reply Reply Quote 0
          • E
            efny @SteveITS
            last edited by

            @steveits
            Thanks for the reply.

            Let me try to clarify.
            Let's suppose I want to expose port 11111 for a service that runs on the firewall that has a LAN IP of 192.168.1.1
            Does scenario A vs B differ as far as analysis by IDS
            A) WAN 11111 (open)
            B) WAN 11111 port forward to LAN 192.168.1.1:11111

            I have some GeoIP considerations as well in terms of deliberately only opening the port to certain IP ranges using pfBlockerNG GeoIP

            Thanks.

            S 1 Reply Last reply Reply Quote 0
            • S
              SteveITS Galactic Empire @efny
              last edited by

              @efny Either way works. Listening on WAN is a bit less complicated. Either type of rule can have a source alias.

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote 👍 helpful posts!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.