Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Confusing firewall rule logic. Cant set destination to WAN net

    Scheduled Pinned Locked Moved Firewalling
    20 Posts 5 Posters 5.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      router_wang
      last edited by

      When setting firewall rules for the OPT1 interface. I can have a rule for port 80 traffic that has the destination as NOT LAN network, but I cannot set the destination to WAN net. Why wont PFsense let me set the destination as WAN net? (I CAN set destination to WAN net, but then no traffic passes).

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        What is it that you're trying to do?

        1 Reply Last reply Reply Quote 0
        • R
          router_wang
          last edited by

          @KOM:

          What is it that you're trying to do?

          If you set up a port 80 rule on the OPT1 interface for example, you have to use ANY, or if you want to keep it out of the LAN you have to use NOT LAN.
          I'm wondering why you cant just tell it the WAN is the destination to accomplish the same thing.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            I'm with KOM, what is it your trying to do?  Normally you would not set a rule to wan net if used as you gateway router in a home setup, because the wan net would be the network your ISP assigned you only.  If you were using pfsense as say a downstream router in your network then ok that sort of rule might make sense.

            So what exactly are you trying to accomplish and how is your network setup?

            But clearly you can set destination to wan net - its right there in the drop down list.  Are you saying you don't see wan net in the drop down?

            wannetdestdropdown.png_thumb
            wannetdestdropdown.png

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              WAN net is just what it says, the network configured on the WAN interface and nothing else.  So if you set a firewall rule with a destination of WAN net that's all you will be able to talk to.  Nothing else.

              Refer to the diagram in my signature.

              Working on pfSense A, if I put a firewall rule on LAN with source LAN net dest WAN net the only traffic that will pass is traffic with 172.27.0.0/24 as it's destination.  This does NOT include traffic that might be routed to 172.27.0.1 for routing out somewhere else.

              You want "dest any" to route to the internet.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • R
                router_wang
                last edited by

                @johnpoz:

                I'm with KOM, what is it your trying to do?  Normally you would not set a rule to wan net if used as you gateway router in a home setup, because the wan net would be the network your ISP assigned you only.  If you were using pfsense as say a downstream router in your network then ok that sort of rule might make sense.

                So what exactly are you trying to accomplish and how is your network setup?

                But clearly you can set destination to wan net - its right there in the drop down list.  Are you saying you don't see wan net in the drop down?

                I'm saying that "destination WAN" is perceived as "destination internet". There is no selection to tell it that you only want the destination to be the internet and not anywhere else, as in NOT your other networks. The NOT only works with one selection at a time.

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  In 2.2 you will be able to say the equivalent of "not local networks."

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • R
                    router_wang
                    last edited by

                    @Derelict:

                    You want "dest any" to route to the internet.

                    That is the problem. Destination "ANY" goes to all your networks. There needs to be Destination "Internet" to only go out to the internet.

                    1 Reply Last reply Reply Quote 1
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      @router_wang:

                      I'm saying that "destination WAN" is perceived as "destination internet".

                      That is an erroneous perception.

                      There is no selection to tell it that you only want the destination to be the internet and not anywhere else, as in NOT your other networks. The NOT only works with one selection at a time.

                      You can define an alias with hundreds or thousands of networks and say "not my_alias."

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • R
                        router_wang
                        last edited by

                        @Derelict:

                        In 2.2 you will be able to say the equivalent of "not local networks."

                        Thanks!

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          "I'm saying that "destination WAN" is perceived as "destination internet""

                          Says who??  Clearly someone that no basic understanding of networking at all..

                          If you want a rule to allow internet access, but none of your local networks - then simple enough to create an alias with the local networks you don't want to access.. For example that is what I have on my dmz.

                          But no dest wan would not be seen as internet.

                          internetnotlocal.png
                          internetnotlocal.png_thumb

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                          1 Reply Last reply Reply Quote 0
                          • R
                            router_wang
                            last edited by

                            @johnpoz:

                            "I'm saying that "destination WAN" is perceived as "destination internet""

                            Says who??  Clearly someone that no basic understanding of networking at all..

                            Or an acronym whose use is not clear at all. The Internet can be considered a WAN as well, and is used by businesses, governments, organizations, and individuals for almost any purpose imaginable. There is a LAN port, WAN port, and OPT1 port on my APU1C. The rules regarding LAN and OPT1 are clear, so I assumed the nomenclature regarding "WAN" was clear as well.

                            By all means, please elaborate on my lack of basic networking at all.

                            1 Reply Last reply Reply Quote 0
                            • KOMK
                              KOM
                              last edited by

                              To pf, the stateful firewall in FreeBSD that is the heart of pfSense, WAN Net means only your WAN subnet and not the entire Internet.  I also made this same mistake once.  Use John & Derelict's suggestion of using an alias to hold all the local networks you want to deny access to.  Lastly, don't take it personally.  Johnpoz and Derelict are two of the top 5 people here for sure when it comes to network knowledge and pfSense, but sometimes our answers are a little rough around the edges.

                              1 Reply Last reply Reply Quote 0
                              • R
                                router_wang
                                last edited by

                                @KOM:

                                To pf, the stateful firewall in FreeBSD that is the heart of pfSense, WAN Net means only your WAN subnet and not the entire Internet.  I also made this same mistake once.  Use John & Derelict's suggestion of using an alias to hold all the local networks you want to deny access to.  Lastly, don't take it personally.  Johnpoz and Derelict are two of the top 5 people here for sure when it comes to network knowledge and pfSense, but sometimes our answers are a little rough around the edges.

                                The insults are inexcusable. My network experience goes all the way back to a freakin Apple Cat modem. And in all the years since, I have never degenerated to crapping on people asking for information. I hope the "elites" around here can grasp the fact that the majority of the user base is going to be your average Joe and not the sysadmin with a Cisco cert.

                                Build the user base with Honey. Not Vinegar.

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  Sorry but I just call it like I see it.. It says WAN net..  What other network would it be talking about??  So you grasp that lan "net" means the network attached to the LAN interface.. Why would Wan "net" mean "internet"??

                                  In what firewall have you ever seen specification of wan net to mean all networks other than local? You need to state the actual network or IP that you want as source and destination, or ANY is the standard phrase for anything..  If your not going to be specific then ANY would be used..

                                  As to crapping on people – How is providing you with an exact example how to accomplish what you want crapping on anyone?  For all your years of experience you sure have a pretty thin skin..  Sorry but if anyone seems elitist -- might want to look in a mirror..  OMG the guy on the internet didn't slob all over my knob when I asked a question, he made a crack about the nomenclature used being clear to anyone with a basic grasp of the concepts being discussed..  What an elitist prick he must be!! :rolleyes:

                                  "I have never degenerated to crapping on people asking for information"

                                  That sure seems obvious from your clearly neg trending karma ;)  Did you use up all your honey elsewhere?

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • R
                                    router_wang
                                    last edited by

                                    @johnpoz:

                                    OMG the guy on the internet didn't slob all over my knob when I asked a question, he made a crack about the nomenclature used being clear to anyone with a basic grasp of the concepts being discussed..  What an elitist prick he must be!! :rolleyes:

                                    Enjoy lording over your little kingdom and bathing in your own ego. It does nothing to expand the user base. It does nothing to promote the goodwill of the project. It serves no purpose other than to satisfy your need for attention. Good luck with that.

                                    1 Reply Last reply Reply Quote 0
                                    • H
                                      Harvy66
                                      last edited by

                                      @router_wang:

                                      @johnpoz:

                                      "I'm saying that "destination WAN" is perceived as "destination internet""

                                      Says who??  Clearly someone that no basic understanding of networking at all..

                                      Or an acronym whose use is not clear at all. The Internet can be considered a WAN as well, and is used by businesses, governments, organizations, and individuals for almost any purpose imaginable. There is a LAN port, WAN port, and OPT1 port on my APU1C. The rules regarding LAN and OPT1 are clear, so I assumed the nomenclature regarding "WAN" was clear as well.

                                      By all means, please elaborate on my lack of basic networking at all.

                                      It seemed quite obvious to me. It's just a bit-mask check. PFSense is built by people with great understanding of networks and is biased towards that demographic. Many times making something easier for the layman makes it harder for the professional. I don't want my firewall second guessing or doing something implicitly.

                                      Also, "WAN" is just a name you give to an Internet, it has no bearing on if it's "the internet". If you think of all Interfaces just being "Opt1", "Opt2", etc, then it makes perfect sense. "WAN" gets no special treatment just because of its name.

                                      edit: Forgot to add, in a Core router, all interfaces can be "the internet". The concept of "the internet" is a bit overly simplistic.

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by

                                        dude you really need to check your med levels or something..

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • DerelictD
                                          Derelict LAYER 8 Netgate
                                          last edited by

                                          It appears I misspoke.  I just took a look at 2.2-BETA and, while there is a new selection for all defined interface addresses on the firewall (This Firewall (self)), there is not a new selection for all local networks.  So it looks like we'll have to continue to maintain an alias for that.

                                          Chattanooga, Tennessee, USA
                                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                          1 Reply Last reply Reply Quote 0
                                          • johnpozJ
                                            johnpoz LAYER 8 Global Moderator
                                            last edited by

                                            Check your PM wang – you know it doesn't take a brain surgeon to notice every time my smite level changes you have just recently logged in..  Bit childish don't you think.. :rolleyes:

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.