Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Whitelisting Inverted WAN Rule

    pfBlockerNG
    2
    4
    185
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Q
      qwerty123 last edited by

      This is a bit hard to explain but I'm going to give it a shot. On my firewall, I allow certain ports in (IE: ssh, VoIP, etc). In pfBlockerNG, I have GeoIP blocking set up where all the countries are disabled except for North America. I have North America set to "Deny Inbound" and "Invert Source" for the advanced firewall rule options. The idea behind this is to block all countries except North America traffic without overloading my pfsense block with firewall rules of the entire world.

      For reasons unknown, I started running into issues with Vonage (VoIP) recently. Looking at the firewall logs, I noticed that I have some incoming sources from the EU on my WAN Interface that are getting blocked (rule: pfB_NAmerica_v4 auto rule) and causing my issue. My VoIP box sits on a VLAN all to itself, if that matters.

      What I need to do is on my WAN interface, allow traffic destined to 192.168.119.5 to be excluded from the pfBlockerNG WAN filter. Does anybody have an idea of how to accomplish whitelisting internal address space on the WAN interface?

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @qwerty123 last edited by SteveITS

        There was recently a post here in a thread, that almost as a side note commented that inverting might cause unexpected issues, that I found interesting.

        Regardess why do it that way and not "block all traffic" but allow North America on those rules? We use pfBlocker to create an Alias Native alias and then use that in any rule we want: https://forum.netgate.com/topic/125250/firewall-rules-order/25

        Only install packages for your version, or risk breaking it. If yours is older, select it in System/Update/Update Settings.
        When upgrading, let it finish. Allow 10-15 minutes, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        Q 1 Reply Last reply Reply Quote 0
        • Q
          qwerty123 @SteveITS last edited by

          @teamits said in Whitelisting Inverted WAN Rule:

          Regardess why do it that way and not block all traffic but allow North America on those rules? We use pfBlocker to create an Alias Native alias and then use that in any rule we want: https://forum.netgate.com/topic/125250/firewall-rules-order/25

          There was a reason why I set it up the way I did, which I now forgot. I have a feeling that it was related to the number of firewall rules that were being inserted.

          I'll have to look into this again. Maybe the invert source is causing a problem.

          Thanks!

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Rebel Alliance @qwerty123 last edited by

            Using a large alias on many NAT or firewall rules can slow down the web GUI as it downloads the alias hint/tooltip multiple times. In one case for similar connections to multiple servers, we changed the NAT rules to allow any source IP, turned off the linked firewall rule, and created one firewall rule to allow "from the alias" to all of the servers on that same port, so there is only one rule using the alias instead of many.

            Only install packages for your version, or risk breaking it. If yours is older, select it in System/Update/Update Settings.
            When upgrading, let it finish. Allow 10-15 minutes, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            1 Reply Last reply Reply Quote 1
            • First post
              Last post