Rule allow network access can't working



  • Currently i installed complete firewall PfSense version 2.4.4-p3.
    I know default rule for LAN is allow network access to internet but i want to my rule specifically, so i edit default rule is

    • Protocol: IPv4 *
    • Source: LAN net
    • Port: *
    • Destination: WAN net
    • Port: *

    But after i edit default rule, my client can't use google. Please help me this problem.



  • Because you limited your whole LAN to only being able to reach the WAN's net whatever that is for you.

    Yea- let me rephrase that- You have blocked you from reaching the whole rest of the world.



  • @chpalmer i think it's will more secure in LAN


  • LAYER 8 Netgate

    If you get this address from your ISP:

    192.0.2.103/24

    And your gateway is 192.0.2.1

    And you limit destinations to WAN network. You will only be able to access anything in 192.0.2.0/24

    WAN network is the subnet of the WAN interface. The internet is Destination any.



  • Hi everyone,
    Today i config rule for LAN as like image below
    a8efd5ff-79a9-4e16-8b71-6812166bec67-image.png

    And rule for WAN i not yet config. But when i use client go to website google ok although i not yet config rule for WAN ????
    9082bbed-0ae9-4631-8b92-22963c3a8e1e-image.png

    7b8599fe-583f-478c-a8ac-1d47d2464275-image.png


  • LAYER 8 Global Moderator

    Why would you think you need a rule on wan? Rules on wan are only for unsolicited traffic inbound to your wan..

    When you allow traffic out from your "lan" or any other network on your lan side, the state is what allows the return traffic... Not a rule you put on wan.

    The only time you need rules on wan is if your doing port forwarding, or want to allow something to access a service on your wan, or pass through to a network behind if your actually routing and not natting.

    For example say you wanted to be able to ping your wan IP from the internet, then you would need rule on wan to allow that.


  • LAYER 8 Netgate

    Your rule is TCP-only. That won't work for UDP, etc. DNS is generally UDP so you probably won't have very good results with that.


  • LAYER 8 Global Moderator

    ^ yup very true... Kind of hard for clients to resolve anything with those rules, unless your doing doh or dot for dns on the client, or serving up dot to your clients on unbound.


Log in to reply