WAN Address



  • Hi,

    I built a firewall based on pfsense with 4 interfaces (WAN, LAN, DMZ and OPT).

    I found something strange trying to setup some rules in the firewall. The aim of the rule was to allow HTTP protocol from DMZ to WAN. First of all (in order to check how things were working), I have made a PASS rule (in DMZ section) from ANY to ANY with HTTP as destination protocol. And as expected everything was working very fine. But this rule allows DMZ to contact LAN on HTTP protocol as well so I needed to be more precise in the definition of rule. Then I changed the rule to PASS from ANY to WAN Address with HTTP as destination protocol and then I could not use HTTP even to the outside world. Did I make something wrong ? What is the real meaning of "WAN Address" ???

    A I supposed to make a PASS rule from ANY to ANY and then make REECT rules from ANY to LAN and from ANY to OPT ??

    All the input that could help me to clarify this topic would be extremely welcome.

    Regards,
    Chris



  • Destination WAN-adress means exactly that. that the destination has to be the address of the WAN in order to be allowed.

    If you want to forbid access to LAN from DMZ you can change the rule to: "Destination: LAN" and select the NOT checkbox (invert the sense of the rule).
    Like this you have a "Any" to "Any except LAN" rule.

    If you want to block access to anything except the internet (block OPT, LAN) i think you'd be better off with creating an Alias that includes the networks LAN and OPT and make two rules on DMZ:
    1: Block rule with as destination your Alias.
    2: Allow any to any

    Rules are processed from top to down.
    If a rule catches, the rest below is no longer considered.
    There is a invisible "block all" rule at the bottom of the rules.



  • Thanks a lot for your excellent answer.

    In fact I thought "WAN Address" was similar to everything on the other side of the WAN interface like on the SonicWall firewall I was administrating before. Your description is very clear and I think the NOT LAN is an excellent idea in my situation.

    Your extra comment on the rule processing was very instructive as well. I am certain to reach my objectives now.

    Regards,
    Chris


Log in to reply