Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall WAN Rules (Internal VS External IPs)

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Cornelp
      last edited by

      I have the following example:

      PfSense 2.3

      Object: Mail_Company_Internal
      IP: 192.168.10.10

      Object: Mail_Company_External
      IP: 63.63.63.63

      Object: Mail_Company_Group
      Mail_Company_External
      Mail_Company_Internal

      WAN Rule:
      Procotol                  Source          Port            Destination                                                Port
      TCP                        Any                Any            Mail_Company_Internal                              SMTP
      Or is it like this:
      Procotol                  Source          Port            Destination                                                Port
      TCP                        Any                Any            Mail_Company_External                              SMTP
      Or is must be like this:
      Procotol                  Source          Port            Destination                                                Port
      TCP                        Any                Any            Mail_Company_Group                                SMTP

      I want incoming rules allowing our server to respond to the mail requests. So, would the WAN rule have the External IP Object or the Internal IP Object or Group of both? Currently, we have both, but I don't think both are needed. Can someone explain which should be in the WAN Rules?
      Also, would NAT play any role in this? We have NAT setup for External to Internal IP. Would that affect the WAN Rules?
      Thanks…

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        I want incoming rules allowing our server to respond to the mail requests.

        What you need is a NAT port forward.

        So, would the WAN rule have the External IP Object or the Internal IP Object or Group of both?

        External.  These rules are automatically created for you when you define the port forward via Firewall - NAT - Port Forward.

        Also, would NAT play any role in this? We have NAT setup for External to Internal IP. Would that affect the WAN Rules?

        Yes and yes.  As I said above, the creation of the NAT also creates the associated firewall rules unless you have specifically told it to not do that.

        If you're having a problem then post your port forward screen and WAN firewall rules screen with public details sanitized.

        1 Reply Last reply Reply Quote 0
        • C
          Cornelp
          last edited by

          So, I have to have the NAT/Port Forward created?
          What if I just want to create the rule in the WAN interface? That wouldn't work, I have to have a NAT?
          And if a NAT is not really needed, then again would the WAN Rule need the External or the Internal IP/Object?

          Thank you for your help, and sorry for all the questions, but I want to make sure I understand it 100% correctly.
          Thanks…

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            So, I have to have the NAT/Port Forward created?

            If you want users from the Internet (or some other external network) to access services on a server on your LAN, then yes you need a port forward or 1:1 NAT, depending on the requirements.

            What if I just want to create the rule in the WAN interface?

            That will allow the traffic pats WAN, but it won't redirect it to the proper LAN server.

            That wouldn't work, I have to have a NAT?

            The NAT defines the redirection, and the firewall rule allows the traffic.  You need both.  Create the NAT and the firewall rule gets added.

            And if a NAT is not really needed, then again would the WAN Rule need the External or the Internal IP/Object?

            It's definitely needed if you want to make a LAN server available via WAN.

            1 Reply Last reply Reply Quote 0
            • C
              Cornelp
              last edited by

              Thank you KOM, I appreciate taking the time to help me.
              There some some rules where I don't want to create via Port Forwarding, in which case we create the rule manually on the WAN interface. I just need to know if the WAN rule requires the external IP or the internal IP, or both to be the destination.
              Thanks…

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                There some some rules where I don't want to create via Port Forwarding

                You can create all the rules you want manually.  NATs have a firewall rule added automatically since they're required for the NAT to work, and a lot of people would get tripped up by the missing rule when their NAT doesn't work as expected.

                I just need to know if the WAN rule requires the external IP or the internal IP, or both to be the destination.

                Sorry, I brainfarted earlier.  For NATS, the WAN rule must refer to their private address.  So your WAN rule must allow traffic to 192.168.10.10.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.