• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

NAT vs open port on WAN for VPN on pfsense

Scheduled Pinned Locked Moved Firewalling
5 Posts 2 Posters 910 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • E
    efny
    last edited by Mar 1, 2023, 4:22 PM

    This post is deleted!
    E 1 Reply Last reply Mar 2, 2023, 3:22 PM Reply Quote 0
    • E
      efny @efny
      last edited by Mar 2, 2023, 3:22 PM

      @efny

      I realized I was misusing terminology, so I rewrote the post to be clearer. If a mod wants to delete my original post I can just repost the topic.

      Thanks

      Let's suppose I have a VPN service running on the Pfsense box itself. As far as IDS/IPS analysis goes, is there a fundamental difference between opening a WAN port for the service and forward the port to the router IP?

      I have Snort running on both WAN and LAN, and get a lot of alerts for things that are blocked and ports scans etc. I was thinking I wanted to limit to just running Snort on LAN, but I worry that I will miss an opportunity to catch potentially malicious inbound traffic that is directed at the open ports. For services that run on my virtualization servers that get port forwarded connections, I get Snort alerts on the LAN side and was wondering whether this would occur if I forward the ports for services running on Pfsense or will the router treat port forwarding to itself identically to just opening a WAN port?

      Thanks in advance.

      S 1 Reply Last reply Mar 3, 2023, 1:20 AM Reply Quote 0
      • S
        SteveITS Galactic Empire @efny
        last edited by Mar 3, 2023, 1:20 AM

        @efny general advice is to run Snort on LAN. On WAN it runs outside the firewall so will scan all inbound packets even if they will be dropped.

        pfSense can NAT to its LAN IP. On WAN one would just allow the connection.

        If you’re asking whether a NAT rule to itself it subject to Snort I suspect not since Snort runs outside the firewall.

        What are you exposing on pfSense, the VPN? Can it be limited by source IP or dyndns hostname?

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote πŸ‘ helpful posts!

        E 1 Reply Last reply Mar 4, 2023, 11:35 PM Reply Quote 0
        • E
          efny @SteveITS
          last edited by Mar 4, 2023, 11:35 PM

          @steveits
          Thanks for the reply.

          Let me try to clarify.
          Let's suppose I want to expose port 11111 for a service that runs on the firewall that has a LAN IP of 192.168.1.1
          Does scenario A vs B differ as far as analysis by IDS
          A) WAN 11111 (open)
          B) WAN 11111 port forward to LAN 192.168.1.1:11111

          I have some GeoIP considerations as well in terms of deliberately only opening the port to certain IP ranges using pfBlockerNG GeoIP

          Thanks.

          S 1 Reply Last reply Mar 5, 2023, 12:12 AM Reply Quote 0
          • S
            SteveITS Galactic Empire @efny
            last edited by Mar 5, 2023, 12:12 AM

            @efny Either way works. Listening on WAN is a bit less complicated. Either type of rule can have a source alias.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote πŸ‘ helpful posts!

            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received