Whitelisting Inverted WAN Rule
This is a bit hard to explain but I'm going to give it a shot. On my firewall, I allow certain ports in (IE: ssh, VoIP, etc). In pfBlockerNG, I have GeoIP blocking set up where all the countries are disabled except for North America. I have North America set to "Deny Inbound" and "Invert Source" for the advanced firewall rule options. The idea behind this is to block all countries except North America traffic without overloading my pfsense block with firewall rules of the entire world.
For reasons unknown, I started running into issues with Vonage (VoIP) recently. Looking at the firewall logs, I noticed that I have some incoming sources from the EU on my WAN Interface that are getting blocked (rule: pfB_NAmerica_v4 auto rule) and causing my issue. My VoIP box sits on a VLAN all to itself, if that matters.
What I need to do is on my WAN interface, allow traffic destined to 192.168.119.5 to be excluded from the pfBlockerNG WAN filter. Does anybody have an idea of how to accomplish whitelisting internal address space on the WAN interface?
There was recently a post here in a thread, that almost as a side note commented that inverting might cause unexpected issues, that I found interesting.
Regardess why do it that way and not "block all traffic" but allow North America on those rules? We use pfBlocker to create an Alias Native alias and then use that in any rule we want: https://forum.netgate.com/topic/125250/firewall-rules-order/25
@teamits said in Whitelisting Inverted WAN Rule:
Regardess why do it that way and not block all traffic but allow North America on those rules? We use pfBlocker to create an Alias Native alias and then use that in any rule we want: https://forum.netgate.com/topic/125250/firewall-rules-order/25
There was a reason why I set it up the way I did, which I now forgot. I have a feeling that it was related to the number of firewall rules that were being inserted.
I'll have to look into this again. Maybe the invert source is causing a problem.
Using a large alias on many NAT or firewall rules can slow down the web GUI as it downloads the alias hint/tooltip multiple times. In one case for similar connections to multiple servers, we changed the NAT rules to allow any source IP, turned off the linked firewall rule, and created one firewall rule to allow "from the alias" to all of the servers on that same port, so there is only one rule using the alias instead of many.