Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Floating Rule - permit rule on WAN block traffic on LAN

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 2 Posters 481 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mimmozart
      last edited by

      Hello everyone, this is my first post.

      I was testing the floating rules. I have configured a rule on WAN interface, out direction, UDP protocol, port 53, action PASS. If I run nslookup from the firewall shell the result is ok, but if I do it from a client, I don't get the response. I have logged that the rule is matched but I cannot understand why the client is not receiving the response.
      pfsense is configured with 2 interfaces: WAN with no defined rule and LAN with a pass all rule. There is the default NAT rule (masquerade).
      If i disable rule, nslookup is ok and i can navigate on internet.
      Any idea?

      P.s. Sorry for my english and Thanks for your help

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @Mimmozart
        last edited by

        @Mimmozart said in Floating Rule - permit rule on WAN block traffic on LAN:

        I have configured a rule on WAN interface, out direction, UDP protocol, port 53, action PASS.

        Why ?
        A (floating) firewall rule has something like 48 settings and options. Sure, some combination can mess up traffic pretty good.
        Please included details like screen shots etc, something that can be used to find an answer.

        @Mimmozart said in Floating Rule - permit rule on WAN block traffic on LAN:

        If i disable rule, nslookup is ok and i can navigate on internet.
        Any ideas?

        Yeah.
        Stop testing 😊

        @Mimmozart said in Floating Rule - permit rule on WAN block traffic on LAN:

        There is the default NAT rule (masquerade).

        There is not default NAT rule.

        @Mimmozart said in Floating Rule - permit rule on WAN block traffic on LAN:

        but if I do it from a client, I don't get the response.

        What DNS is used by this client ?
        (The IP of) pfSEnse ?
        Some other private data collector like "8.8.8.8" ?
        The DNS your ISP assigned you ?

        Default, all these IP's are accessible by clients on a LAN, none and nothing is blocked.

        Did you change any DNS related (unbound) settings ?

        @Mimmozart said in Floating Rule - permit rule on WAN block traffic on LAN:

        UDP protocol, port 53, action PASS

        We are way past 1983, where DNS was UDP only. Add TCP also.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        M 1 Reply Last reply Reply Quote 0
        • M
          Mimmozart @Gertjan
          last edited by

          @Gertjan

          Hi, thanks for your help.

          Client use 8.8.8.8 DNS.
          Pfsense has two ip addresses:
          LAN 172.16.20.1/24
          WAN 10.10.10.11 /24 - GW 10.10.10.1

          client --- > pfsense
          172.16.20.100/24 WAN 10.10.10.11 - GW 10.10.10.1
          GW 172.16.20.1 LAN 172.16.20.1
          DNS 8.8.8.8

          pfsense1.png

          1 Reply Last reply Reply Quote 0
          • M
            Mimmozart
            last edited by

            pfsense1.png

            1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan
              last edited by

              The default behaviour of a firewall is : block everything.

              LAN rules are fine.
              WAN rules (none) is ok.

              A client device on LAN can have 8.8.8.8 as a DNS, it should be is reachable as any other IP on the Internet. If not, your issue is up stream (above pfSense).

              You're floating rule shows 0/0 which means : it never applies / matches. Understandable, as the source is "WAN Address" which means a device from the WAN network would use the WAN address of pfSense to do DNS lookup (?). That's totally .... not common at all.
              Just delete this floating rule as it has no sense at all.
              Or start explaining why you think you need this rule.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • M
                Mimmozart
                last edited by

                Hi,

                I configured this rule only to test floating rules. If I understand, this rule should allow outgoing requests from the WAN ip to any UDP port 53 destination. What confuses me is that enabling this rule, the access DNS from the client does not work.

                Thanks

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.