AI Copilot get a tip! Is it a safe and good practise?
-
Hi, Gopilot get a tip to optimize settings. He suggest make a NAT rule on WAN and VPN interfaces "DO NOT NAT" from SOURCE: LOCAL and VPN subnets to DESTINATION: the same subnets. I s it good and safe? him arguments were about avoid mistake for local samba dlna and etc. VPN as clients on pfSense. Should everything to work with this rules? for example limiters?
-
No, it is not a good tip. Those things rarely are.
That adds no security. If you tell it not to NAT, the traffic still exist, it could still be misrouted or picked up by bad actors upstream. If you're lucky the ISP might drop that traffic but in practice ISPs are not as good with egress filtering as they should be.
If leaking traffic concerns you, block it with firewall rules. For example, floating rule to block quick outbound to those destinations on all WAN(s).
-
@jimp Thank's i will not to try this)))
-
@jimp One more question, i have read this netgate docs: https://docs.netgate.com/pfsense/en/latest/recipes/rfc1918-egress.html. I f i do this rule and use vpn client with ip 10.0.2.1 . iS THIS RULE WILL BREAK SOMETHING FOR VPN CLIENT?mY PFsESNE BOX IS FIRST, NO ANY UPSTREAM AFTER HIM, ONLY BEHIND?
-
The rules in that example only affect WANs, not VPN interfaces. If the VPN client is running on a client device then all the firewall sees is the public traffic, not private. If it's a VPN defined on pfSense software and the rules are only on WAN interfaces then it's the same thing, more or less.
The only way that would affect VPN traffic is if you also setup that rule to block on VPN interfaces on pfSense, which isn't what it's suggesting.
-
@jimp Ok , thanks)))
