Put IoT reject rules on WAN or LAN?
-
Hi guys. Quick question about firewall. All of my IoT devices are under the IP range of
10.0.1.0/24
and I want to ban their access to the Internet. There are two places where I can put the rule,- WAN rules. Reject traffics from
10.0.1.0/24
to!RFC1918
- LAN rules. The same rule
Is there a preference that one is better than the other? Thanks!
Update: Seems my understanding is WRONG. The rule should only be placed on LAN firewall since the firewall only takes effect on "INCOME" traffics
- WAN rules. Reject traffics from
-
@left4apple well you can put outbound rules in the floating tab.
But why would you let traffic into pfsense, just to stop it from leaving.. If you don' want some traffic to get to the internet, its best to stop it before it even enters pfsense.
-
@johnpoz Hi not sure if I understand the comment correctly. The IoT devices gets DHCP IP from pfSense, and they keep trying to connect to cloud servers. I only want to use them locally via RTSP.
What would be the correct way to stop the traffic from getting into pfSense? Thanks
-
@left4apple said in Put IoT reject rules on WAN or LAN?:
The rule should only be placed on LAN firewall since the firewall only takes effect on "INCOME" traffics
This comment is correct. If you are trying to block DNS and/or pfSense port 443 you can block from the IOT network to This Firewall which is all IPs on pfSense.
-
@left4apple said in Put IoT reject rules on WAN or LAN?:
What would be the correct way to stop the traffic from getting into pfSense?
As you already stated - on the lan side of pfsense.. Before it enters pfsense..
If someone came to your front door and said hey can I walk through your house to go to your back yard.. Would you stop right there at the front door, or would you let them stomp their muddy feet all through your house and then when they were going to exit your back door say - hey wait a minute I don't want you to go there..