Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Why is block private networks enabled by default on WAN?

    Scheduled Pinned Locked Moved Development
    5 Posts 4 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by

      Why is Block private networks enabled by default on WAN?

      If it's a WAN port with a public IP, traffic from private networks shouldn't be forwarded to it.

      If the WAN is on a private network, it does nothing but cause problems.

      If a WAN port has a private IP address, block traffic from private addresses but if a WAN port has a public IP address, allow traffic from public IP addresses?  I don't get it.  WAN is WAN.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        @Derelict:

        If it's a WAN port with a public IP, traffic from private networks shouldn't be forwarded to it.

        Tell that to my ISP…

        1 Reply Last reply Reply Quote 0
        • K
          kejianshi
          last edited by

          Yeah - If ISPs were sane at all it would fix many problems.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            But what's the difference?  Unsolicited traffic is unsolicited traffic.  The default deny any any rule blocks it whether it's public or RFC1918.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • H
              heper
              last edited by

              some cable providers/modems send out private ip's by dhcp when the coax-line goes down …
              so then pfsense would get a private ip and might think it's gateway is online when it isnt

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.