Access 'private' ip via wan port…

  • Hi,

    We have a multi-wan bundler in front of our pfsense wan if.  The bundler box has ip and it has given pfsense's wan if ip through DHCP.  So far so good.

    However when I try to access the bundler at from the pfsense lan net I cannot get through.  I can log in to pfsense at so there is no routing problem.

    I suspect that the apparent blocking of the subnet is due to the checked 'Block private networks' in the pfsense wan firewall rule.

    But I thought that this rule (as fw rules generally) handle / treat traffic coming IN to the interface and not traffic getting out from pfsense via the wan if and further to its subnet.

    Please can someone enlighten me on how we can get access to the wan subnet device (our bundler) from pfsense while still blocking all other private networks.



  • Uncheck the checkbox "Block private networks"

    Create an Alias that contains all subnets you want blocked except the IP of your loadbalancer

    Create a rule on LAN at the top (bove all other rules) that blocks traffic with source any and destination "youralias".

    As long as you dont have a rule on the WAN-tab everything is being blocked.

    Alternatively your Alias could contain all private subnets and you just create an additional allow rule for your balancer above the block rule.

  • Thanks for the tip.  Will try that.

    However does this mean that the wan interface is treated differently as the other interfaces with regard of rules?  If I haven't misunderstood completely, firewall rules for a nic normally affects traffic coming in from the nic cable into the firewall.

    In this case we're talking about traffic out from the firewall via the wan nic and out into the wan nic cable.  So really in this case we need rules to allow outgoing traffic..?



  • Generally the WAN port will have a real ip and so any packets with private ip addresses will be unwanted (forged/part of attack etc) so by default all rfc1918 packets should be blocked.

Log in to reply