WAN Firewall rule destination unexpectedly had to be the LAN ip???



  • I have a 5 port PFSense firewall with 4 public IP's and 4 LAN subnets.

    I have port forwarding for h.323/SIP working for one of the public IP's to the associated LAN subnet but use pfBlockerNG to blacklist most overseas IP's.

    I needed to whitelist a specific overseas WAN network so I added a rule of source <x.x.x.x 24="">and destination: <public_ip>BEFORE the pfBlockerNG rules and assumed the traffic would pass through the firewall and that the NAT translation would occur. It DID NOT and the logs showed the IP as blocked and the h.323/SIP connection would not establish from the overseas IP.

    To make it work I had to change the destination IP in the firewall rule to the LAN subnet IP, then I could successfully make a connection. Can someone explain to me why, when the TCP packet coming from the WAN will definitely have the public IP address in the destination?

    Thanks in advance!</public_ip></x.x.x.x>



  • That's how it works in PF, the NAT or RDR rules are always applied first before the traffic is filtered. This can't be changed. The effect on filter rules associated with port forwards  is exactly what you observed, the destination address in the firewall rule has to be the address after the address translation.