Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Questions regarding WAN and LAN

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 766 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jgkpffrm
      last edited by

      I have a basic setup (WAN and LAN).  On the WAN interface for the firewall are the rules for incoming to the WAN or do these apply to outgoing from the LAN or both?

      The docs state "The default ingress policy on pfSense is to block all traffic as there are no allow rules on WAN in the default ruleset".  But when i look at the WAN rules I have what looks to me like a default allow rule at the bottom:

      ipv4  * * * * * none

      does this rule mean that anything from the outside is allowed through the WAN interface to the LAN? or does it mean anything from the LAN interface is allowed out the WAN?

      Or should i modify it so that the source is LAN Net and the destination is WAN net?

      wan.JPG
      wan.JPG_thumb

      1 Reply Last reply Reply Quote 0
      • H Offline
        hda
        last edited by

        Incoming and outgoing is w.r.t. the pfSense-box. So, for example WAN-out is leaving pfSense-WAN, LAN-out is leaving pfSense to LAN.

        If you have nothing special to host/service from you to the world, you need no ports open on pfSense-WAN.

        Each interface (WAN, LAN, ..) has its own tab-page, where you can block, allow, reject.

        Firewall/rules/WAN    ipv4  * * * * * none
        does this rule mean that anything from the outside is allowed through the WAN interface to the LAN

        Yes.

        1 Reply Last reply Reply Quote 0
        • J Offline
          jgkpffrm
          last edited by

          thanks for the quick reply. i modified the rule such that source:WAN Net and Destination Any are blocked. It may be overkill since i read the default behavior is to block but once i get a syslog vm built i want to be able to have some granularity on block and log rules.

          My concern now is how open was i under this setup. All i ran was the setup wizard but maybe while messing with something else that rule got applied by accident. pfsense should be natting and UPNP is not on and there was no port mappings coming in.  So even with that rule in existence external addresses should not have been able to get to any of the natted privated addressing correct?

          1 Reply Last reply Reply Quote 0
          • H Offline
            hda
            last edited by

            @jgkpffrm:

            … My concern now...

            WAN-net is not equal to the Internet.  Case of "Overkill", pfSense is a binary thing, True xor False :)
            That what is allowed in, is in the pfSense-box.

            Understand how the out-of-the-box LAN-rule any() any() gives you webbrowser service from the world…
            (no WAN rules needed)

            Start with no allowance/no rule on WAN. If your syslog VM-host is on LAN, you do not need WAN allowance.

            You were open on pfSense. Change your admin password ;)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.