Access 'private' ip via wan port…



  • Hi,

    We have a multi-wan bundler in front of our pfsense wan if.  The bundler box has ip 192.168.10.1 and it has given pfsense's wan if ip 192.168.10.11 through DHCP.  So far so good.

    However when I try to access the bundler at 192.168.10.1 from the pfsense lan net I cannot get through.  I can log in to pfsense at 192.168.10.11 so there is no routing problem.

    I suspect that the apparent blocking of the 192.168.10.0 subnet is due to the checked 'Block private networks' in the pfsense wan firewall rule.

    But I thought that this rule (as fw rules generally) handle / treat traffic coming IN to the interface and not traffic getting out from pfsense via the wan if and further to its 192.168.10.0 subnet.

    Please can someone enlighten me on how we can get access to the wan subnet device (our bundler) from pfsense while still blocking all other private networks.

    rgds

    tor



  • Uncheck the checkbox "Block private networks"

    Create an Alias that contains all subnets you want blocked except the IP of your loadbalancer

    Create a rule on LAN at the top (bove all other rules) that blocks traffic with source any and destination "youralias".

    As long as you dont have a rule on the WAN-tab everything is being blocked.

    Alternatively your Alias could contain all private subnets and you just create an additional allow rule for your balancer above the block rule.



  • Thanks for the tip.  Will try that.

    However does this mean that the wan interface is treated differently as the other interfaces with regard of rules?  If I haven't misunderstood completely, firewall rules for a nic normally affects traffic coming in from the nic cable into the firewall.

    In this case we're talking about traffic out from the firewall via the wan nic and out into the wan nic cable.  So really in this case we need rules to allow outgoing traffic..?

    regards

    tor



  • Generally the WAN port will have a real ip and so any packets with private ip addresses will be unwanted (forged/part of attack etc) so by default all rfc1918 packets should be blocked.


Locked