Firewall WAN Rules (Internal VS External IPs)



  • I have the following example:

    PfSense 2.3

    Object: Mail_Company_Internal
    IP: 192.168.10.10

    Object: Mail_Company_External
    IP: 63.63.63.63

    Object: Mail_Company_Group
    Mail_Company_External
    Mail_Company_Internal

    WAN Rule:
    Procotol                  Source          Port            Destination                                                Port
    TCP                        Any                Any            Mail_Company_Internal                              SMTP
    Or is it like this:
    Procotol                  Source          Port            Destination                                                Port
    TCP                        Any                Any            Mail_Company_External                              SMTP
    Or is must be like this:
    Procotol                  Source          Port            Destination                                                Port
    TCP                        Any                Any            Mail_Company_Group                                SMTP

    I want incoming rules allowing our server to respond to the mail requests. So, would the WAN rule have the External IP Object or the Internal IP Object or Group of both? Currently, we have both, but I don't think both are needed. Can someone explain which should be in the WAN Rules?
    Also, would NAT play any role in this? We have NAT setup for External to Internal IP. Would that affect the WAN Rules?
    Thanks…



  • I want incoming rules allowing our server to respond to the mail requests.

    What you need is a NAT port forward.

    So, would the WAN rule have the External IP Object or the Internal IP Object or Group of both?

    External.  These rules are automatically created for you when you define the port forward via Firewall - NAT - Port Forward.

    Also, would NAT play any role in this? We have NAT setup for External to Internal IP. Would that affect the WAN Rules?

    Yes and yes.  As I said above, the creation of the NAT also creates the associated firewall rules unless you have specifically told it to not do that.

    If you're having a problem then post your port forward screen and WAN firewall rules screen with public details sanitized.



  • So, I have to have the NAT/Port Forward created?
    What if I just want to create the rule in the WAN interface? That wouldn't work, I have to have a NAT?
    And if a NAT is not really needed, then again would the WAN Rule need the External or the Internal IP/Object?

    Thank you for your help, and sorry for all the questions, but I want to make sure I understand it 100% correctly.
    Thanks…



  • So, I have to have the NAT/Port Forward created?

    If you want users from the Internet (or some other external network) to access services on a server on your LAN, then yes you need a port forward or 1:1 NAT, depending on the requirements.

    What if I just want to create the rule in the WAN interface?

    That will allow the traffic pats WAN, but it won't redirect it to the proper LAN server.

    That wouldn't work, I have to have a NAT?

    The NAT defines the redirection, and the firewall rule allows the traffic.  You need both.  Create the NAT and the firewall rule gets added.

    And if a NAT is not really needed, then again would the WAN Rule need the External or the Internal IP/Object?

    It's definitely needed if you want to make a LAN server available via WAN.



  • Thank you KOM, I appreciate taking the time to help me.
    There some some rules where I don't want to create via Port Forwarding, in which case we create the rule manually on the WAN interface. I just need to know if the WAN rule requires the external IP or the internal IP, or both to be the destination.
    Thanks…



  • There some some rules where I don't want to create via Port Forwarding

    You can create all the rules you want manually.  NATs have a firewall rule added automatically since they're required for the NAT to work, and a lot of people would get tripped up by the missing rule when their NAT doesn't work as expected.

    I just need to know if the WAN rule requires the external IP or the internal IP, or both to be the destination.

    Sorry, I brainfarted earlier.  For NATS, the WAN rule must refer to their private address.  So your WAN rule must allow traffic to 192.168.10.10.


Log in to reply