Firewall rules and NAT - Public vs Private IP used in ACL on WAN interface



  • I come from a background of Cisco, and I've always specified my rules using the address for the interface where the rule is. For a public ACL, I'm used to using the public address.

    I tried this with pfsense and it didn't work, I had to use the private address.

    This confuses me, but I suppose this is by design. Sorry if it is newbie question. I'm just curious why?

    Or is there an option I'm missing?



  • As a statefull firewall, all rules are set where the connection begins, if is a rule To allow access from clientes, it will be in lan. If is internet going To your web server, it will be at wan.

    When using nat the rule is applied after translation, so wan rule will give access to internal web server ip, no To wans public ip.

    Except for nat, all rules are set by source or destination ip/port.


Log in to reply