Open up all traffic
-
Hi, everybody! New to pfSense and loving it so far. Have a quick question:
How would I open up ALL traffic through the firewall? I have this on an isolated private LAN for now and just want to let everything through to practice with and learn as much as I can. I think I have it setup right, but being a newbie, just wanna check with everybody. Thanks for any help!
-
As in allow from WAN to LAN? Assuming you're not using NAT, a rule on WAN allowing source of Any to destination of Lan Net would allow that traffic.
-
@teamits Thanks for the reply. What if we are using NAT? Here is the WAN Rule I have:
-
@farmersfightatm Using NAT you will have to set up a Firewall/NAT/Port Forward to whatever device you're trying to access from the WAN. See https://docs.netgate.com/pfsense/en/latest/book/nat/index.html
-
@teamits I'm having some trouble wrapping my head around that. If all traffic is allowed through, why would port forwarding be needed if you are using NAT? Is there a way to allow all traffic through a port forward rule? Thanks for your help!
-
With NAT, all devices share the same public/WAN IP. If a device on WAN tries to connect, the router doesn't know where to send the packets. So, a NAT port forward tells the router where they should go.
-
@farmersfightatm said in Open up all traffic:
@teamits I'm having some trouble wrapping my head around that. If all traffic is allowed through, why would port forwarding be needed if you are using NAT? Is there a way to allow all traffic through a port forward rule? Thanks for your help!
Not trying to be a condescending jerk, but do you fully understand what NAT is and how it works?
With NAT, all internal hosts appear to the outside world (that is, to everyone beyond your WAN out on the Internet) as having only the single IP of your WAN port. In other words, your single public IP. So the NAT engine, when it receives a connection on a specific port, has to know which internal host (which specific LAN IP, for example) to send that traffic to. Having a "pass all" rule on the WAN still does not matter with NAT.
If you are talking in terms of a single internal host sending out some request to the Internet and expecting a reply, then the stateful inspection logic of the firewall will automatically allow that traffic and will, through devolving the NAT, figure out which internal host should get that reply. This is completely different from allowing some external host on the Internet to just out of the blue attempt a connection to port 80 at your public IP for a web server. In that case, the firewall needs a port forward rule so that it knows which LAN host is responsible for getting and handling all external-source port 80 destination traffic.
Edit: @teamits beat me to the reply. His is the short version, mine is a bit longer, but they are saying the same thing.
-
@bmeeks The minute I started reading your post, I realized the error in my thinking. Since it's on a private (home) network, I wasn't thinking of real external traffic coming in. I kept thinking in terms of it being all on my local LAN, then asked myself why I'm using NAT! I got it...thanks for y'alls help!