Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can I block bogon / private networks when pfSense is in DMZ behind ISP router

    Scheduled Pinned Locked Moved Firewalling
    1 Posts 1 Posters 450 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      Kryptonic
      last edited by

      Hello

      I have been using pfSense for a few years now, everything works fine but I think my configuration could be better or more secure (even if everything works as expected). For example I did turn off the blocking of bogon and private networks (while following a tutorial for OpenVPN) on the WAN interface of my pfSense but I’m not sure it was necessary.
      I would like to know if I can block private and bogon networks or if this will cause problems in my home setup.

      I have set my Pfsense FW (192.168.0.250/24) in the DMZ of our ISPs modem/router.
      DHCP and Wifi are turned off on the ISPs modem/router. So on my pfSense the WAN is 192.168.0.250 (also the dmz of my ISP) and the default LAN interface is the 192.168.1.0/24 network.
      I read in another thread that port-forwarded (1:1 traffic) from an upstream router will not be blocked unless this router NAT’s the source address to a bogon or private address. https://forum.netgate.com/topic/119431/block-private-networks-what-does-that-do-what-is-it-used-for/6
      I’m not sure if this is the case in my setup, could someone perhaps give me an example of this scenario so I can better understand?

      The way I see it: my ISPs modem/router will forward all incoming traffic to the pfSense FW which is facing the internet in the DMZ (192.168.0.250) and nothing will be blocked because ports are forwarded 1:1.
      Does this also mean there is always natting going on while the incoming traffic is forwarded to the DMZ (pfsense) because a public address needed to translated to a local address to get to my pfSense?
      In that case will this natting translate the source address to a private address (and be blocked by the rules that blocks bogon and private addresses)?

      I’m sorry if this is dumb question because my theory about port-forwarding and natting may be wrong.
      Thank you for any advice/help.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.