Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Single Exception to "Block Private Networks"

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bfts
      last edited by

      As "Block private networks" is set on the WAN interface, I can't access the Modem connected to that interface on 192.168.1.1

      I'd like to add a single exception to the WAN rules specifically allowing traffic to and from 192.168.1.1 BEFORE the "Block private networks" rule so that rule stays in place for every other private IP but this single one.

      Unfortunately I can not move any rule before the "Block Private Networks" rule.

      (I'm having trouble with one of my ADSL lines and just had the tech here and we couldn't access the modem till I realised that traffic was blocked because of this rule. I'd like to add a permanent exception so other can show a tech around without me being present.)

      Any hints?

      1 Reply Last reply Reply Quote 0
      • T
        Trel
        last edited by

        Could you just replace the "Block Private Networks" rule with manual blocking of the the private network ranges?

        10.0.0.0/8
        172.16.0.0/12
        192.168.0.0/16

        For IPv4

        1 Reply Last reply Reply Quote 0
        • B
          bfts
          last edited by

          I just left this alone for a while as I didn't need access to the Modem, now I think I will need to open the WAN interface to allow communication between the modem on one side and the LAN interface on the other one.
          My LANs are all in the 10.10.x.x, my Modems are 192.168.x.1, WAN interfaces are 192.168.x.10

          What should the rule on the WAN interface look like to block everything but legit traffic from the LAN to the Modem?

          I tried to block 192.168.0.0/16 & 10.0.0.0/8 on the WAN but still can access the modem.
          My rule is:

          BLOCK - IP4 - 192.168.0.0/16 - * - * - * - * - none

          BLOCK - IP4 - 10.0.0.0/8 - * - * - * - * - none

          But I can still access the Modem connected on WAN.

          (Of course I want to figure out how to block first and then open it just for the modem IP.)
          Thanks

          1 Reply Last reply Reply Quote 0
          • P
            podilarius
            last edited by

            So you need to remove the block private address from the WAN interface. Assuming you did this.
            Add an alias for the 3 private networks (172.16.0.0/12, 10.0.0.0/8, 192.168.0.0/16).
            Create a rule in WAN to block from that alias.
            Add a rule above it to allow access to the Modem.
            If you have any rules but the default in LAN, you will need to make sure that you are not restricting outbound.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.