• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

WAN Interface Block private networks and loopback addresses setting correct?

Scheduled Pinned Locked Moved General pfSense Questions
4 Posts 3 Posters 3.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jeff3820
    last edited by Oct 18, 2018, 4:25 AM

    In my network I have to run in a double NAT setup as the ISP modem cannot be set to bridge mode. I have setup the ISP router to DMZ the 192.168.0.3 static address I've assigned to my PFSense firewall. My question is with the settings on the WAN interface of PFSense... should the Block private networks and loopback addresses setting be unchecked or checked? Initially I had it checked and all appeared to work fine but with additional reading since 192.168 is a private address the box should be unchecked. Seems to work either way but which is correct??

    Running 2.4.4 if it matters.

    0_1539836638200_Screen Shot 2018-10-17 at 11.14.35 PM.jpg

    1 Reply Last reply Reply Quote 0
    • V
      viragomann
      last edited by Oct 18, 2018, 11:27 AM

      You only have to uncheck it if you want to allow incoming connections and if you have forwarded traffic from your ISP router.
      For outbound connections it is irrelevant.

      1 Reply Last reply Reply Quote 0
      • J
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz Oct 18, 2018, 12:40 PM Oct 18, 2018, 12:39 PM

        Even in the case of forwarding traffic from the router, unless it was source natting the traffic the block rfc1918 rule is only on the source IP not the dest IP.. So forwarded traffic from the internet, ie public IPs would not be blocked..

        look here post from Derelict
        https://forum.netgate.com/topic/119431/block-private-networks-what-does-that-do-what-is-it-used-for/6
        These are the rules generated on my WAN interface for the block RFC1918 checkbox:
        block anything from private networks on interfaces with the option set

        block in log quick on $WAN from 10.0.0.0/8 to any tracker 12000 label "Block private networks from WAN block 10/8"
        block in log quick on $WAN from 127.0.0.0/8 to any tracker 12000 label "Block private networks from WAN block 127/8"
        block in log quick on $WAN from 172.16.0.0/12 to any tracker 12000 label "Block private networks from WAN block 172.16/12"
        block in log quick on $WAN from 192.168.0.0/16 to any tracker 12000 label "Block private networks from WAN block 192.168/16"
        block in log quick on $WAN from fc00::/7 to any tracker 12000 label "Block ULA networks from WAN block fc00::/7"

        They block connections coming INTO WAN sourced from addresses in the RFC1918 list of addresses (and localhost and IPv6 ULA).

        They will not block port-forwarded or 1:1 traffic from an upstream router unless that device also NATs the source address to something that matches these rules.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • J
          jeff3820
          last edited by Oct 18, 2018, 4:53 PM

          Perfect...thanks for the clarification!

          1 Reply Last reply Reply Quote 0
          1 out of 4
          • First post
            1/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received