Confusing firewall rule logic. Cant set destination to WAN net

johnpoz · Dec 3, 2014, 6:38 PM

I'm with KOM, what is it your trying to do? Normally you would not set a rule to wan net if used as you gateway router in a home setup, because the wan net would be the network your ISP assigned you only. If you were using pfsense as say a downstream router in your network then ok that sort of rule might make sense.

So what exactly are you trying to accomplish and how is your network setup?

But clearly you can set destination to wan net - its right there in the drop down list. Are you saying you don't see wan net in the drop down?

Derelict · Dec 3, 2014, 6:39 PM

WAN net is just what it says, the network configured on the WAN interface and nothing else. So if you set a firewall rule with a destination of WAN net that's all you will be able to talk to. Nothing else.

Refer to the diagram in my signature.

Working on pfSense A, if I put a firewall rule on LAN with source LAN net dest WAN net the only traffic that will pass is traffic with 172.27.0.0/24 as it's destination. This does NOT include traffic that might be routed to 172.27.0.1 for routing out somewhere else.

You want "dest any" to route to the internet.

router_wang · Dec 3, 2014, 6:43 PM

@johnpoz:

I'm with KOM, what is it your trying to do? Normally you would not set a rule to wan net if used as you gateway router in a home setup, because the wan net would be the network your ISP assigned you only. If you were using pfsense as say a downstream router in your network then ok that sort of rule might make sense.

So what exactly are you trying to accomplish and how is your network setup?

But clearly you can set destination to wan net - its right there in the drop down list. Are you saying you don't see wan net in the drop down?

I'm saying that "destination WAN" is perceived as "destination internet". There is no selection to tell it that you only want the destination to be the internet and not anywhere else, as in NOT your other networks. The NOT only works with one selection at a time.

Derelict · Dec 3, 2014, 6:44 PM

In 2.2 you will be able to say the equivalent of "not local networks."

router_wang · Dec 3, 2014, 6:45 PM

@Derelict:

You want "dest any" to route to the internet.

That is the problem. Destination "ANY" goes to all your networks. There needs to be Destination "Internet" to only go out to the internet.

Derelict · Dec 3, 2014, 6:46 PM

@router_wang:

I'm saying that "destination WAN" is perceived as "destination internet".

That is an erroneous perception.

There is no selection to tell it that you only want the destination to be the internet and not anywhere else, as in NOT your other networks. The NOT only works with one selection at a time.

You can define an alias with hundreds or thousands of networks and say "not my_alias."

router_wang · Dec 3, 2014, 6:46 PM

@Derelict:

In 2.2 you will be able to say the equivalent of "not local networks."

Thanks!

johnpoz · Dec 3, 2014, 7:00 PM

"I'm saying that "destination WAN" is perceived as "destination internet""

Says who?? Clearly someone that no basic understanding of networking at all..

If you want a rule to allow internet access, but none of your local networks - then simple enough to create an alias with the local networks you don't want to access.. For example that is what I have on my dmz.

But no dest wan would not be seen as internet.

router_wang · Dec 3, 2014, 7:42 PM

@johnpoz:

"I'm saying that "destination WAN" is perceived as "destination internet""

Says who?? Clearly someone that no basic understanding of networking at all..

Or an acronym whose use is not clear at all. The Internet can be considered a WAN as well, and is used by businesses, governments, organizations, and individuals for almost any purpose imaginable. There is a LAN port, WAN port, and OPT1 port on my APU1C. The rules regarding LAN and OPT1 are clear, so I assumed the nomenclature regarding "WAN" was clear as well.

By all means, please elaborate on my lack of basic networking at all.

KOM · Dec 3, 2014, 7:51 PM

To pf, the stateful firewall in FreeBSD that is the heart of pfSense, WAN Net means only your WAN subnet and not the entire Internet. I also made this same mistake once. Use John & Derelict's suggestion of using an alias to hold all the local networks you want to deny access to. Lastly, don't take it personally. Johnpoz and Derelict are two of the top 5 people here for sure when it comes to network knowledge and pfSense, but sometimes our answers are a little rough around the edges.

router_wang · Dec 3, 2014, 8:01 PM

@KOM:

To pf, the stateful firewall in FreeBSD that is the heart of pfSense, WAN Net means only your WAN subnet and not the entire Internet. I also made this same mistake once. Use John & Derelict's suggestion of using an alias to hold all the local networks you want to deny access to. Lastly, don't take it personally. Johnpoz and Derelict are two of the top 5 people here for sure when it comes to network knowledge and pfSense, but sometimes our answers are a little rough around the edges.

The insults are inexcusable. My network experience goes all the way back to a freakin Apple Cat modem. And in all the years since, I have never degenerated to crapping on people asking for information. I hope the "elites" around here can grasp the fact that the majority of the user base is going to be your average Joe and not the sysadmin with a Cisco cert.

Build the user base with Honey. Not Vinegar.

johnpoz · Dec 3, 2014, 8:58 PM

Sorry but I just call it like I see it.. It says WAN net.. What other network would it be talking about?? So you grasp that lan "net" means the network attached to the LAN interface.. Why would Wan "net" mean "internet"??

In what firewall have you ever seen specification of wan net to mean all networks other than local? You need to state the actual network or IP that you want as source and destination, or ANY is the standard phrase for anything.. If your not going to be specific then ANY would be used..

As to crapping on people – How is providing you with an exact example how to accomplish what you want crapping on anyone? For all your years of experience you sure have a pretty thin skin.. Sorry but if anyone seems elitist -- might want to look in a mirror.. OMG the guy on the internet didn't slob all over my knob when I asked a question, he made a crack about the nomenclature used being clear to anyone with a basic grasp of the concepts being discussed.. What an elitist prick he must be!! :rolleyes:

"I have never degenerated to crapping on people asking for information"

That sure seems obvious from your clearly neg trending karma ;) Did you use up all your honey elsewhere?

router_wang · Dec 3, 2014, 9:41 PM

@johnpoz:

OMG the guy on the internet didn't slob all over my knob when I asked a question, he made a crack about the nomenclature used being clear to anyone with a basic grasp of the concepts being discussed.. What an elitist prick he must be!! :rolleyes:

Enjoy lording over your little kingdom and bathing in your own ego. It does nothing to expand the user base. It does nothing to promote the goodwill of the project. It serves no purpose other than to satisfy your need for attention. Good luck with that.

Harvy66 · Dec 5, 2014, 4:08 PM

@router_wang:

@johnpoz:

"I'm saying that "destination WAN" is perceived as "destination internet""

Says who?? Clearly someone that no basic understanding of networking at all..

Or an acronym whose use is not clear at all. The Internet can be considered a WAN as well, and is used by businesses, governments, organizations, and individuals for almost any purpose imaginable. There is a LAN port, WAN port, and OPT1 port on my APU1C. The rules regarding LAN and OPT1 are clear, so I assumed the nomenclature regarding "WAN" was clear as well.

By all means, please elaborate on my lack of basic networking at all.

It seemed quite obvious to me. It's just a bit-mask check. PFSense is built by people with great understanding of networks and is biased towards that demographic. Many times making something easier for the layman makes it harder for the professional. I don't want my firewall second guessing or doing something implicitly.

Also, "WAN" is just a name you give to an Internet, it has no bearing on if it's "the internet". If you think of all Interfaces just being "Opt1", "Opt2", etc, then it makes perfect sense. "WAN" gets no special treatment just because of its name.

edit: Forgot to add, in a Core router, all interfaces can be "the internet". The concept of "the internet" is a bit overly simplistic.

johnpoz · Dec 5, 2014, 3:18 PM

dude you really need to check your med levels or something..

Derelict · Dec 6, 2014, 6:57 AM

It appears I misspoke. I just took a look at 2.2-BETA and, while there is a new selection for all defined interface addresses on the firewall (This Firewall (self)), there is not a new selection for all local networks. So it looks like we'll have to continue to maintain an alias for that.

johnpoz · Dec 6, 2014, 4:53 PM

Check your PM wang – you know it doesn't take a brain surgeon to notice every time my smite level changes you have just recently logged in.. Bit childish don't you think.. :rolleyes: