• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Can I block bogon / private networks when pfSense is in DMZ behind ISP router

Scheduled Pinned Locked Moved Firewalling
1 Posts 1 Posters 450 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • K
    Kryptonic
    last edited by Mar 1, 2021, 11:27 AM

    Hello

    I have been using pfSense for a few years now, everything works fine but I think my configuration could be better or more secure (even if everything works as expected). For example I did turn off the blocking of bogon and private networks (while following a tutorial for OpenVPN) on the WAN interface of my pfSense but I’m not sure it was necessary.
    I would like to know if I can block private and bogon networks or if this will cause problems in my home setup.

    I have set my Pfsense FW (192.168.0.250/24) in the DMZ of our ISPs modem/router.
    DHCP and Wifi are turned off on the ISPs modem/router. So on my pfSense the WAN is 192.168.0.250 (also the dmz of my ISP) and the default LAN interface is the 192.168.1.0/24 network.
    I read in another thread that port-forwarded (1:1 traffic) from an upstream router will not be blocked unless this router NAT’s the source address to a bogon or private address. https://forum.netgate.com/topic/119431/block-private-networks-what-does-that-do-what-is-it-used-for/6
    I’m not sure if this is the case in my setup, could someone perhaps give me an example of this scenario so I can better understand?

    The way I see it: my ISPs modem/router will forward all incoming traffic to the pfSense FW which is facing the internet in the DMZ (192.168.0.250) and nothing will be blocked because ports are forwarded 1:1.
    Does this also mean there is always natting going on while the incoming traffic is forwarded to the DMZ (pfsense) because a public address needed to translated to a local address to get to my pfSense?
    In that case will this natting translate the source address to a private address (and be blocked by the rules that blocks bogon and private addresses)?

    I’m sorry if this is dumb question because my theory about port-forwarding and natting may be wrong.
    Thank you for any advice/help.

    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
      This community forum collects and processes your personal information.
      consent.not_received