Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Access 'private' ip via wan port…

    General pfSense Questions
    3
    4
    2.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bushtor
      last edited by

      Hi,

      We have a multi-wan bundler in front of our pfsense wan if.  The bundler box has ip 192.168.10.1 and it has given pfsense's wan if ip 192.168.10.11 through DHCP.  So far so good.

      However when I try to access the bundler at 192.168.10.1 from the pfsense lan net I cannot get through.  I can log in to pfsense at 192.168.10.11 so there is no routing problem.

      I suspect that the apparent blocking of the 192.168.10.0 subnet is due to the checked 'Block private networks' in the pfsense wan firewall rule.

      But I thought that this rule (as fw rules generally) handle / treat traffic coming IN to the interface and not traffic getting out from pfsense via the wan if and further to its 192.168.10.0 subnet.

      Please can someone enlighten me on how we can get access to the wan subnet device (our bundler) from pfsense while still blocking all other private networks.

      rgds

      tor

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        Uncheck the checkbox "Block private networks"

        Create an Alias that contains all subnets you want blocked except the IP of your loadbalancer

        Create a rule on LAN at the top (bove all other rules) that blocks traffic with source any and destination "youralias".

        As long as you dont have a rule on the WAN-tab everything is being blocked.

        Alternatively your Alias could contain all private subnets and you just create an additional allow rule for your balancer above the block rule.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • B
          bushtor
          last edited by

          Thanks for the tip.  Will try that.

          However does this mean that the wan interface is treated differently as the other interfaces with regard of rules?  If I haven't misunderstood completely, firewall rules for a nic normally affects traffic coming in from the nic cable into the firewall.

          In this case we're talking about traffic out from the firewall via the wan nic and out into the wan nic cable.  So really in this case we need rules to allow outgoing traffic..?

          regards

          tor

          1 Reply Last reply Reply Quote 0
          • S
            sai
            last edited by

            Generally the WAN port will have a real ip and so any packets with private ip addresses will be unwanted (forged/part of attack etc) so by default all rfc1918 packets should be blocked.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.