Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Open up all traffic

    Scheduled Pinned Locked Moved Firewalling
    8 Posts 3 Posters 570 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      farmersfightatm
      last edited by

      Hi, everybody! New to pfSense and loving it so far. Have a quick question:

      How would I open up ALL traffic through the firewall? I have this on an isolated private LAN for now and just want to let everything through to practice with and learn as much as I can. I think I have it setup right, but being a newbie, just wanna check with everybody. Thanks for any help!

      1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire
        last edited by

        As in allow from WAN to LAN? Assuming you're not using NAT, a rule on WAN allowing source of Any to destination of Lan Net would allow that traffic.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote ๐Ÿ‘ helpful posts!

        F 1 Reply Last reply Reply Quote 0
        • F
          farmersfightatm @SteveITS
          last edited by

          @teamits Thanks for the reply. What if we are using NAT? Here is the WAN Rule I have:Rule.jpg

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @farmersfightatm
            last edited by

            @farmersfightatm Using NAT you will have to set up a Firewall/NAT/Port Forward to whatever device you're trying to access from the WAN. See https://docs.netgate.com/pfsense/en/latest/book/nat/index.html

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote ๐Ÿ‘ helpful posts!

            F 1 Reply Last reply Reply Quote 0
            • F
              farmersfightatm @SteveITS
              last edited by

              @teamits I'm having some trouble wrapping my head around that. If all traffic is allowed through, why would port forwarding be needed if you are using NAT? Is there a way to allow all traffic through a port forward rule? Thanks for your help!

              bmeeksB 1 Reply Last reply Reply Quote 0
              • S
                SteveITS Galactic Empire
                last edited by

                With NAT, all devices share the same public/WAN IP. If a device on WAN tries to connect, the router doesn't know where to send the packets. So, a NAT port forward tells the router where they should go.

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote ๐Ÿ‘ helpful posts!

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks @farmersfightatm
                  last edited by bmeeks

                  @farmersfightatm said in Open up all traffic:

                  @teamits I'm having some trouble wrapping my head around that. If all traffic is allowed through, why would port forwarding be needed if you are using NAT? Is there a way to allow all traffic through a port forward rule? Thanks for your help!

                  Not trying to be a condescending jerk, but do you fully understand what NAT is and how it works?

                  With NAT, all internal hosts appear to the outside world (that is, to everyone beyond your WAN out on the Internet) as having only the single IP of your WAN port. In other words, your single public IP. So the NAT engine, when it receives a connection on a specific port, has to know which internal host (which specific LAN IP, for example) to send that traffic to. Having a "pass all" rule on the WAN still does not matter with NAT.

                  If you are talking in terms of a single internal host sending out some request to the Internet and expecting a reply, then the stateful inspection logic of the firewall will automatically allow that traffic and will, through devolving the NAT, figure out which internal host should get that reply. This is completely different from allowing some external host on the Internet to just out of the blue attempt a connection to port 80 at your public IP for a web server. In that case, the firewall needs a port forward rule so that it knows which LAN host is responsible for getting and handling all external-source port 80 destination traffic.

                  Edit: @teamits beat me to the reply. His is the short version, mine is a bit longer, but they are saying the same thing.

                  F 1 Reply Last reply Reply Quote 0
                  • F
                    farmersfightatm @bmeeks
                    last edited by

                    @bmeeks The minute I started reading your post, I realized the error in my thinking. Since it's on a private (home) network, I wasn't thinking of real external traffic coming in. I kept thinking in terms of it being all on my local LAN, then asked myself why I'm using NAT! I got it...thanks for y'alls help!

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.