Questions regarding WAN and LAN



  • I have a basic setup (WAN and LAN).  On the WAN interface for the firewall are the rules for incoming to the WAN or do these apply to outgoing from the LAN or both?

    The docs state "The default ingress policy on pfSense is to block all traffic as there are no allow rules on WAN in the default ruleset".  But when i look at the WAN rules I have what looks to me like a default allow rule at the bottom:

    ipv4  * * * * * none

    does this rule mean that anything from the outside is allowed through the WAN interface to the LAN? or does it mean anything from the LAN interface is allowed out the WAN?

    Or should i modify it so that the source is LAN Net and the destination is WAN net?




  • Incoming and outgoing is w.r.t. the pfSense-box. So, for example WAN-out is leaving pfSense-WAN, LAN-out is leaving pfSense to LAN.

    If you have nothing special to host/service from you to the world, you need no ports open on pfSense-WAN.

    Each interface (WAN, LAN, ..) has its own tab-page, where you can block, allow, reject.

    Firewall/rules/WAN    ipv4  * * * * * none
    does this rule mean that anything from the outside is allowed through the WAN interface to the LAN

    Yes.



  • thanks for the quick reply. i modified the rule such that source:WAN Net and Destination Any are blocked. It may be overkill since i read the default behavior is to block but once i get a syslog vm built i want to be able to have some granularity on block and log rules.

    My concern now is how open was i under this setup. All i ran was the setup wizard but maybe while messing with something else that rule got applied by accident. pfsense should be natting and UPNP is not on and there was no port mappings coming in.  So even with that rule in existence external addresses should not have been able to get to any of the natted privated addressing correct?



  • @jgkpffrm:

    … My concern now...

    WAN-net is not equal to the Internet.  Case of "Overkill", pfSense is a binary thing, True xor False :)
    That what is allowed in, is in the pfSense-box.

    Understand how the out-of-the-box LAN-rule any() any() gives you webbrowser service from the world…
    (no WAN rules needed)

    Start with no allowance/no rule on WAN. If your syslog VM-host is on LAN, you do not need WAN allowance.

    You were open on pfSense. Change your admin password ;)