Managing "let out anything from firewall host itself" on WAN and VPN?

  • I am trying to manage, not only traffic coming into my firewall but traffic leaving the firewall…I recently changed my logging so that I see all traffic in my log.

    The ""let out anything from firewall host itself" rule is triggered by:
    Traffic on port 53 thru my VPN(my DNS resolver is using VPN as outgoing only)…I am cool with this, assuming this is my resolver traffic.
    Traffic on port 80 for my Apple TV thru my WAN…I am cool with this.

    What other traffic would trigger a "let out anything from firewall host itself" rule?



  • All locally running services including NTP, package updates, everything that runs on the pfSense local system. Those will use the default gateway configured on the system and if that gateway is not set to your VPN everything on the local system will go out via the default WAN. It's not possible to redirect that traffic with policy routing like you can with traffic originating from your LAN, the only way is to change the default gateway of the pfSense system.

  • If you want to block traffic leaving out the WAN by firewall rules you can use the floating rules. Set the action to "block" in the rule, interface to "WAN", the direction of the rule to "out" and set the "quick" option so that it will apply immediately and no other rules on the WAN will count.

  • Thanks KPA….to summarize, I went to:

    System -> Routing -> Gateways -> Edit(The pencil icon on my VPN interface). I then checked my VPN interfaces "Default Gateway"(Screen shot attached).

    In terms of adding the quick rule thank you, however a couple of clarifying questions:

    Would "Protocol" be "Any"?
    Would "Source" also be "Any"?
    If I just wanted to monitor the traffic to start would I put "Match" instead of "Block", use "Any' for Protocol, Source, etc...  and then check the "Log" under "Extra Options"? I am suspecting somethings might break if I shut down my locally running services on I was thinking maybe log to start?

    Thank you very much!!

    ![Default Gateway.png](/public/imported_attachments/1/Default Gateway.png)
    ![Default Gateway.png_thumb](/public/imported_attachments/1/Default Gateway.png_thumb)

  • If your VPN is an OpenVPN I'd suggest that you don't edit the gateways directly but the let the OpenVPN client manage them.

    Yes, start with just logging the traffic with a floating pass rule, it won't break anything. Protocol is whatever you want to monitor, "Any" will of course match everything going out via the WAN, if you want you can write more specific rules to for example catch only UDP traffic. Leave source and destination at any because you don't know in advance what they might be.

  • Thanks KPA…I think I understand, but just want to make sure:

    1. Leave my WAN as default
    2. Then go to VPN -> OpenVPN -> Clients -> Check "Don't pull routes".

    Is this what you mean by letting "...OpenVPN client manage them..."?

    In terms of monitoring the default "let out anything from firewall host itself" rule. I have 2 internal interfaces that access the WAN, I created an alias for these interfaces named "WAN_ONLY_INTERFACES". I made VERY sure to put the "Direction" as OUT (I don't want to screw that up and open my WAN up right?). I have attached a screen shot.

    My logic is "Monitor everything(Ports, interfaces, etc...), except my 2 "WAN_ONLY_INTERFACES"...

    Thanks again for helping me with this...

    ![FloatingMonitoringWAN Rule.png](/public/imported_attachments/1/FloatingMonitoringWAN Rule.png)
    ![FloatingMonitoringWAN Rule.png_thumb](/public/imported_attachments/1/FloatingMonitoringWAN Rule.png_thumb)

Log in to reply