What CIDR block and firewall rules for WAN Security needed?
-
Hello,
Can someone tell me what CIDR block and firewall rules for WAN Security are needed?I think I changed some firewall settings and now my WAN picks up LAN, DMZ, or Captive Portal addresses.
I only want essential firewall rules for any required communication.
-
@burlinwa huh? Your seeing your own local IPs hitting your wan interface?
Out of the box there are no rules on wan.. All are blocked, there is no need for any rules on wan unless you want to allow some specific unsolicited inbound traffic.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@burlinwa said in What CIDR block and firewall rules for WAN Security needed?:
Hello,
Can someone tell me what CIDR block and firewall rules for WAN Security are needed?I think I changed some firewall settings and now my WAN picks up LAN, DMZ, or Captive Portal addresses.
I only want essential firewall rules for any required communication.
How would anyone else know what CIDR block you're using?
-
@jarhead I'm sorry jarhead. I thought the wan cidr has to be set specifically for is provider
Mine is via dhcp but was not sure if I need to have specific setting much lower or just set to 24 like internal networks.
I read you can use different setting and use the it's but I just wanted to confirm setting needed for home lab setup.
Forgive the lack of knowledge but I am actively pursuing to be more knowledgeable. -
@johnpoz Thank John I'll check settings.
I might have added setting I shouldn't have. -
@burlinwa If I were you, and you're just playing around in a homelab setting, and you're not too deep into the weeds with settings and stuff, would be to reset to default settings and start over from scratch. It's really easy to do.
Then, when you're back up and running (should take less than 10 minutes), make lots of notes, make lots of config "saves" as you go, and figure out what you're doing.
-
@akuma1x I have considered that and will make small changes and test and put more meaning descriptions: required, do not edit, mandatory order, and I think that will help. Thanks.
-
@burlinwa Are you familiar with making periodic (or on demand) config backups?
https://docs.netgate.com/pfsense/en/latest/backup/configuration.html
If you are playing around and experimenting, learning how the system works, this is a really easy way to "roll-back" config settings to a known working version, after you make a mess of your settings. This way, you can reload that config back into pfsense, wipe the incorrect stuff out, and be back up and running in a matter of minutes. I've used it plenty of times on my stuff too.
-
@akuma1x Yes Sir, I'll do a reset and get my backups setup again.
I'll document better and put notes on what I changed in between backups.
That way I might just revert or disable changes and see if it corrects problem before opting for a backup configuration restore.
I'll try to avoid messing with setting at 1 am in the morning as well. 🥺 -
@burlinwa Even easier way to restore is to use the Auto Config Backup service provided by Netgate. Find it in the Services menu.
You can literally go back to before you made each change, or go all the way to a fresh install. -
@jarhead said in What CIDR block and firewall rules for WAN Security needed?:
@burlinwa Even easier way to restore is to use the Auto Config Backup service provided by Netgate. Find it in the Services menu.
I use this myself, so I know what you're talking about. But, is this turned on by default for every installation of pfsense? Or, does the user have to initiate it by manually turning it on?
I checked the ACB instructions in the online manual, but it doesn't specify one way or the other - on or off by default.
So, yes, I would agree with you, but I would bet lots of pfsense users don't even realize that this a built-in function on their systems.
-
@akuma1x Has to be turned on. Definitely worth turning it on!
-
@burlinwa said in What CIDR block and firewall rules for WAN Security needed?:
@jarhead I thought the wan cidr has to be set specifically for is provider
If you’re asking about the subnet mask your ISP would give you that, either with static IP settings, or if they tell you to use DCHP then they set it. Static IPs are often smaller like a /29 or /30. We have a /25 in our data center.
-
@steveits Thank you and yes the subnet is what I was referring to.
I have to connect my WAN interface in a wonky way to wireless shared internet from my laptop currently.
Thank you for the info as it is working correctly now. -
@jarhead I have automatic backups on and will do a manual backup each time I login to pfsense before changes. A valuable reminder. Thank you.
