RULES WAN



  • Hello team,
    I need your help…about rules in wan, sorry but I don't understand...if I block any protocols in interface wan why I can use internet still?

    thanks for your help




  • The WAN rules normally affect incoming traffic, not outgoing.  By default, a firewall blocks everything and you add exceptions for what you want to allow.  So, if you set up a web server on one of your computers, you'd create a rule to allow port 80 to that computer.  Those rules should have no effect on your accessing the 'net.



  • Thank you very much for your swift reply, so if I understand…the rules I will create just on my interface lan.
    On my interface wan keep pass for any protocol.

    thank you.



  • The WAN settings pass everything from your local network to the Internet and block everything incoming, unless you create rules to specifically allow something.  While it is possible to create rules on the LAN side, that's generally not done, unless you have a reason to create them.  For example, you could block a computer from getting to the Internet or block access to a specific web site.


  • LAYER 8 Global Moderator

    there should be NO rules on wan about any allow unless you have created a port forward or you actually want traffic inbound to be allowed.

    If you want to block something on your lan from talking to say ftp servers, then you would create a rule on LAN blocking to port 21..

    Rules are evaluated on the interface the traffic first enters pfsense, top down first rule wins..  The default on the lan is any any.  So yes your clients on lan can do anything they want.  If you don't want them talking to a specific IP or range of IPs or ports, etc. then you would create that block rule on the lan interface and put it higher in the list then your allow that is any any.

    Out of the box all unsolicited traffic to pfsense wan, ie for example some looking for open rdp hitting 3389 would be blocked, same for 22, https, http, etc. Everything inbound to pfsense is blocked out of the box.. Pings, everything!!!  It only allows answers to something behind pfsense was allowed to do - for example you went to pfsense.org on port 80 it answered so pfsense allowed the answer in because client behind pfsense started the conversation.

    The ONLY rules you should have on wan would be something you specifically want to allow to either to pfsense WAN IP, for example you want to allow ping to pfsense wan IP from internet.  Or you want to port forward 80 to box behind pfsense you would do that via a port forward, and it would auto create a rule on your want to allow that unsolicited traffic to be forwarded to your http server behind pfsense.

    If you have any sort of any any or allow rules on your wan - I would make sure you fully understand what that means.  If you have questions on how to do something please ask! before creating rules on your wan, especially any that are any any sort of rules.

    If you have questions post up your rules and we can discuss what they do, etc.



  • Further, after changing the rules, run a port scan to make sure you got what you wanted.  You can go to www.grc.com for IPv4 or http://www6.ipv6.chappell-family.com/cgi-bin6/ipscan-js.cgi for IPv6.  You can also run nmap on a Linux/Unix box.


  • LAYER 8 Global Moderator

    What exactly are you wanting to stop/block etc. and we can discuss the best way to do that.  Blocking outbound traffic quite often done in a corp network, but doing such a thing in a smb/home where the person doing it lacks experience could be opening up a whole can of trouble.

    What are you looking to stop/prevent/restrict and we can discuss if that is valid/good idea and what implications it could bring and how to best do it, etc.



  • BIG THANK YOU!!! it's all clear


Log in to reply