Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WAN Address

    Scheduled Pinned Locked Moved
    Firewalling
    2
    3
    1.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      ChrisHalden
      last edited by

      Hi,

      I built a firewall based on pfsense with 4 interfaces (WAN, LAN, DMZ and OPT).

      I found something strange trying to setup some rules in the firewall. The aim of the rule was to allow HTTP protocol from DMZ to WAN. First of all (in order to check how things were working), I have made a PASS rule (in DMZ section) from ANY to ANY with HTTP as destination protocol. And as expected everything was working very fine. But this rule allows DMZ to contact LAN on HTTP protocol as well so I needed to be more precise in the definition of rule. Then I changed the rule to PASS from ANY to WAN Address with HTTP as destination protocol and then I could not use HTTP even to the outside world. Did I make something wrong ? What is the real meaning of "WAN Address" ???

      A I supposed to make a PASS rule from ANY to ANY and then make REECT rules from ANY to LAN and from ANY to OPT ??

      All the input that could help me to clarify this topic would be extremely welcome.

      Regards,
      Chris

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        Destination WAN-adress means exactly that. that the destination has to be the address of the WAN in order to be allowed.

        If you want to forbid access to LAN from DMZ you can change the rule to: "Destination: LAN" and select the NOT checkbox (invert the sense of the rule).
        Like this you have a "Any" to "Any except LAN" rule.

        If you want to block access to anything except the internet (block OPT, LAN) i think you'd be better off with creating an Alias that includes the networks LAN and OPT and make two rules on DMZ:
        1: Block rule with as destination your Alias.
        2: Allow any to any

        Rules are processed from top to down.
        If a rule catches, the rest below is no longer considered.
        There is a invisible "block all" rule at the bottom of the rules.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • C
          ChrisHalden
          last edited by

          Thanks a lot for your excellent answer.

          In fact I thought "WAN Address" was similar to everything on the other side of the WAN interface like on the SonicWall firewall I was administrating before. Your description is very clear and I think the NOT LAN is an excellent idea in my situation.

          Your extra comment on the rule processing was very instructive as well. I am certain to reach my objectives now.

          Regards,
          Chris

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.