Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Country Blocking vs Unsolicitated Requests on WAN

    Scheduled Pinned Locked Moved pfBlockerNG
    6 Posts 4 Posters 713 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 3
      3Dogs
      last edited by 3Dogs

      I am new to setting up firewall.. having spent 1 week+ so far playing with it. Have a number of questions/observations.. but first one is regarding pfBlocker and how it relates to the router rules. I only enabled the top20 GeoIP blocking so far.. but as I read discussions on country blocking, it is my understanding that it is not really needed on the WAN side, as the WAN should be blocking ALL unsolicited access by default.

      I haven't changed any WAN rules and it has the ones created by pfS based on my settings for blocking RFC1918 and Bogon Networks.

      I DO have my LAN Interface to open with * *, but I do not believe it supersedes the locked-down WAN. My other interfaces are more locked down for guest/iot (which is where I am currently spending my time to get set up correctly).

      I also moved my pfBlockerNG rules to Floating, so I didn't have to create them in every interface

      So, my question.. or concern is, why am I seeing a lot of Deny hits on the WAN for Country(s) that are on the GeoIP/Country Top4 (have IP6 turned off) block list? I would think these should not show at all if it is already blocking unsolicitated traffic.

      My two thoughts are... either I opened up something I shouldn't have and my open port on my LAN or Guest interface is letting things thru. Or perhaps, it is just due to the execution order of things with the Floating Rules (and hence Country Block) coming before my WAN deny everything rule. Perhaps this is a case for not having these as Floating Rules and creating them in each necessary Lan1/Lan2/Lan3 interface?

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        I'm not sure what you're expecting. If your rules say block traffic from these address ranges, then they will be blocked and logged.

        Geoblocking is completely pointless if you do not have any forwarded services, like a web server or something, since all unsolicited access to WAN is blocked by default anyway.

        1 Reply Last reply Reply Quote 1
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          The only reason t have specific geoip blocks on your wan if do not forward any traffic would be if you wanted to log what regions the hits were coming from vs just the normal logging of the IP in the default block log.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 1
          • GrimsonG
            Grimson Banned
            last edited by

            https://www.netgate.com/docs/pfsense/firewall/firewall-rule-processing-order.html

            1 Reply Last reply Reply Quote 1
            • 3
              3Dogs
              last edited by

              ok, thanks to all. Yes, that confirms most of what I was thinking plus some things I hadn't considered.

              Yes, it is nice to see where blocks are coming from.. but I think that need will fade once I watch things for a while.. in order to keep things streamlined and using less memory. I imagine the same could be said for IP/Domain blocks on the Inbound WAN not being necessary.. or Inbound on any of the other interfaces for that matter.

              Would there be a benefit to having it on the Outbound WAN.. or rather outbound on the Restricted/Guest wifi (where my kids would be connected)? One thing I am trying to protect from is the kids clicking on something on their tablets/games etc that then connects to some overseas url which then opens a hole for things to be downloaded.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                You normally would not put any sort of rule on "outbound" wan..

                Rules are evaluated as traffic enters an interface towards pfsense from the network that interface is connected too.

                If you want to block something on your lan or opt or any other "lan" side network then you would place the block on the that interface.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.