• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Setting Destination On WAN Firewall Rules

Scheduled Pinned Locked Moved Firewalling
9 Posts 3 Posters 426 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    tman222
    last edited by tman222 Jan 1, 2023, 7:29 PM Jan 1, 2023, 7:28 PM

    Hi all,

    I have a real basic regarding WAN firewall rules: Suppose I create a simple IPv4 firewall rule on the WAN interface where I'm blocking inbound traffic from an IP alias I created to a given port. Does the destination on the rule have to be set to WAN Address or can it remain as Any? When would one need to choose one over the other?

    Thanks in advance for the clarification, I really appreciate it.

    V 1 Reply Last reply Jan 1, 2023, 7:38 PM Reply Quote 0
    • V
      viragomann @tman222
      last edited by Jan 1, 2023, 7:38 PM

      @tman222 said in Setting Destination On WAN Firewall Rules:

      Suppose I create a simple IPv4 firewall rule on the WAN interface where I'm blocking inbound traffic from an IP alias I created to a given port.

      Such a block rule is only meaningful if it is followed by a pass-rule, which matches the same traffic.
      Otherwise pfSense blocks any access on WAN anyway.

      Basically you can use any as destination in the most block-rules, since you might want to block access to any.

      T 1 Reply Last reply Jan 1, 2023, 7:48 PM Reply Quote 0
      • T
        tman222 @viragomann
        last edited by Jan 1, 2023, 7:48 PM

        Hi @viragomann - thanks for your reply. Yes, that is actually the specific use case that I had in mind, i.e. a block rule for specific set of IPs, followed by a pass rule. Does the following configuration make sense then:

        1. The WAN interface block rule can have destination Any
        2. The WAN interface pass rule that follows (after the block rule) would still have destination WAN Address

        Thanks again for your help.

        B V 2 Replies Last reply Jan 1, 2023, 7:53 PM Reply Quote 0
        • B
          Bob.Dig LAYER 8 @tman222
          last edited by Jan 1, 2023, 7:53 PM

          @tman222 said in Setting Destination On WAN Firewall Rules:

          1. The WAN interface block rule can have destination Any

          Sure

          1. The WAN interface pass rule that follows (after the block rule) would still have destination WAN Address

          Only if the destination is the firewall itself.

          1 Reply Last reply Reply Quote 0
          • V
            viragomann @tman222
            last edited by Jan 1, 2023, 7:53 PM

            @tman222 said in Setting Destination On WAN Firewall Rules:

            The WAN interface block rule can have destination Any
            The WAN interface pass rule that follows (after the block rule) would still have destination WAN Address

            The block rule would block any traffic, as well to the WAN address.
            You would have to exclude the WAN IP in the block rule. E.g. by checking "invert match" and select the WAN address.

            However, if you allow only a specific destination address and port there is no need for a block rule.

            T 1 Reply Last reply Jan 1, 2023, 8:19 PM Reply Quote 0
            • T
              tman222 @viragomann
              last edited by tman222 Jan 1, 2023, 8:19 PM Jan 1, 2023, 8:19 PM

              @viragomann said in Setting Destination On WAN Firewall Rules:

              @tman222 said in Setting Destination On WAN Firewall Rules:

              The WAN interface block rule can have destination Any
              The WAN interface pass rule that follows (after the block rule) would still have destination WAN Address

              The block rule would block any traffic, as well to the WAN address.
              You would have to exclude the WAN IP in the block rule. E.g. by checking "invert match" and select the WAN address.

              However, if you allow only a specific destination address and port there is no need for a block rule.

              Thank you both for the help, I really appreciate it. I'm not quite following the last statement:

              However, if you allow only a specific destination address and port there is no need for a block rule.

              Did you mean source address?

              With a bit more detail, the configuration I had in mind was the following (in order):

              1. Block rule with source being an IP alias and source port any, destination being any and destination port being 123456 (i.e. whatever the exposed port of the service is)
              2. Pass rule following Block rule with source being any and source port being any, then destination being WAN Address and destination being port 123456

              This would block access to the service for certain IPs contained within the IP alias and allow access to the service for the rest. Does that make sense or would there be a simpler way? I suppose if it were possible to narrow down the allowed source IPs in the Pass rule to only a certain set that would then forego the need of creating the block rule (since the firewall blocks the rest by default).

              Thanks again for all your help.

              V B 2 Replies Last reply Jan 1, 2023, 8:31 PM Reply Quote 0
              • V
                viragomann @tman222
                last edited by Jan 1, 2023, 8:31 PM

                @tman222
                I see. This makes sense then, as you only want to block certain source IPs.

                You can also achieve this with a single pass rule:
                source IP: "invert match" checked and state the alias.

                So this rule would allow any, but the IPs in the alias.

                1 Reply Last reply Reply Quote 0
                • B
                  Bob.Dig LAYER 8 @tman222
                  last edited by Jan 1, 2023, 8:31 PM

                  @tman222 Again, sure. That is how pfBlocker is doing it for me.

                  Capture.PNG

                  1 Reply Last reply Reply Quote 0
                  • T
                    tman222
                    last edited by Jan 1, 2023, 8:50 PM

                    That clears things up - thanks again @Bob-Dig and @viragomann for all your help.

                    1 Reply Last reply Reply Quote 0
                    5 out of 9
                    • First post
                      5/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received