SHould I add a firewall rule to WAN
-
My WAN IP is DCHP provided by Comcast. The Pfsense unit is a standard build with nothing added beside the default setting for WAN (block Private network and Bogon) and LAN. Nothing special.
It seem no additional firewall rule is necessary for the WAN based on many Pfsense installation guide I'm seeing. Is this true? Under the Wan firewall rule it mentioned if no firewall rule are set for wan it would not pass anything. But how come I can still access internet from LAN to WAN?
Thus I'm slightly confused. SHould a firewall rule be needed for WAN to passed data or not.
Secondly, does Pfsense perform any trafffic shaping/QOS by default? I notice my comcast speed via speedtest.net was cut in half.
-
Okay attached is my Firewall Log.
Can anyone tell me why I have so many @61 block? Thanks
BTW, why on the WAN firewall there is a warning message to add a firewall rule? No installation guide mentioned I need to add a rule for WAN.
-
This is my Wan Firerule
-
and my Lan.
-
My understanding is that the firewall rules apply only to incoming traffic on an interface. And when a "connection" is "initiated" a kernel data structure is created for that connection effectively creating a new firewall rule allowing traffic that matches that connection.
Thus in the default configuration when the LAN side initiates a HTTP connection to the WAN side incoming data from the WAN side that matches that connection is temporarily allowed. If a system on the WAN side attempts to establish a HTTP connection to a system on the LAN side then it will fail because there isn't a firewall rule (in the default configuration) allowing it. -
With regard to the firewall log, a fair proportion of the logged traffic looks like its probably a DHCP request to assign an address.
Is your Internet connection over cable TV? I believe that type of medium is a broadcast medium so everyone potentially sees all the traffic from a number of users. Thus you will see the DHCP request traffic to the broadcast address. This traffic is probably of no interest to you and is probably not an indication of someone trying to break in so you could add a firewall rule on the WAN interface to block UDP traffic to the broadcast address (255.255.255.255) and port 68 with logging disabled. Let that run for a while and see what traffic is now logged.
-
BTW, why on the WAN firewall there is a warning message to add a firewall rule? No installation guide mentioned I need to add a rule for WAN.
What's the text of the message? What's the context - on what screen does it appear? (I don't see it on my system on Firewall -> Rules, WAN interface.)
-
Okay this is my new firewall rule for WAN. Seem to do the trick but is it setup correctly? Thanks
-
Okay this is my new firewall rule for WAN. Seem to do the trick but is it setup correctly? Thanks
Looks good to me. You might want to add something in the comment field to help you remember why you added it.
-
This link will be helpful….......I have 2 cable connections at 2 locations and had this same issue.
http://forum.pfsense.org/index.php/topic,14131.0.html
-
Thanks, that resolved most of my blocked log issues. Meanwhile, can anyone help with my second question from the 1st post. Do Pfsense by default also limit each download thread to 4mbit?