RFC1918 Block private networks and loopback addresses

buurman · Nov 17, 2021, 11:59 PM

Hi all,

I have a question. I am new to this forum and very new to pfsense. I've come a long way myself, but I don't understand one thing. And that is checkbox for blocking RFC1918 networks to the WAN:

Blocks traffic from IP addresses that are reserved for private networks per RFC 1918 (10/8, 172.16/12, 192.168/16) and unique local addresses per RFC 4193 (fc00::/7) as well as loopback addresses (127/8). This option should generally be turned on, unless this network interface resides in such a private address space, too.

So if I understand correctly this will also block a VPN configuration? How can you ensure that a client (RFC1918) can use the VPN tunnel while this checkbox is enabled then?

stephenw10 · Nov 18, 2021, 12:08 AM

You should only usually have that checked on an external interface. You should never see traffic coming from a private IP on an interface that has a public IP.
The only exception that is if you are double NATed and need to access the pfSense device from a box in the WAN subnet and that is public.

Steve