Private Network question



  • Hi guys,
    i was wondering if someone can explain to me if possible to turn those options on on the wan and lan side

    Block private networks ?
    Block bogon networks ?

    Thank you



  • You can enable them on the NIC itself. Though if you did this on your LAN you wouldn't be able to get any outbound traffic through the firewall. So I wouldn't recommend it.



  • @muswellhillbilly:

    You can enable them on the NIC itself. Though if you did this on your LAN you wouldn't be able to get any outbound traffic through the firewall. So I wouldn't recommend it.

    having them off on both sides " LAN , WAN " wouldn't have any security impact ?



  • @cyberbot:

    @muswellhillbilly:

    You can enable them on the NIC itself. Though if you did this on your LAN you wouldn't be able to get any outbound traffic through the firewall. So I wouldn't recommend it.

    having them off on both sides " LAN , WAN " wouldn't have any security impact ?

    It depends on your network configuration.  A typical installation, say at ones home, would have the WAN of the pfSense box connected to the output of a cable modem.  The LAN side of the pfSense box is your home network.  Your LAN side will not have any public IPs, so you probably have addresses in the RFC private ranges (192.168.x.x, 10.x.x.x, 172.16.x.x, etc).  If you block those on the LAN side your traffic will NOT go out to the internet.  Where blocking private/bogon addresses makes sense is on the WAN side:  RFCs call them "non routable addresses" because they should not be routed to the world.

    Your LAN side is 192.168.137.0/24.
    If you see a packet come in WAN with a source address of 192.168.137.0/24 it means you have a leak from your LAN to your WAN side or someone has spoofed that address and gotten it to your WAN port.
    If you see a packet with source address of 192.168.137.0/24 hit your LAN port, well that's what you'd expect.  For it to go to the world, it would likely get NATted and go out the WAN to the "world".

    As stated above, block private/bogon network inbound on WAN or simply let the default deny do it's job.



  • @cyberbot:

    having them off on both sides " LAN , WAN " wouldn't have any security impact ?

    Your original question was whether it was possible to enable blocking private and bogin networks on both the LAN and WAN interfaces. If what you meant was whether it was possible to DISable these rules on both, then again the answer is 'yes'. But I wouldn't recommend it. Private network address ranges have no business on the WAN side, so as mer suggests, it would be best if you left these rules 'as is'.


  • Rebel Alliance Global Moderator

    Your going to run into lots of issues trying to block bogon on the LAN..  Really would not suggest you do that.

    To be honest I don't really see the point on the wan either, as mentioned they are not valid networks on the wan..  So why would there be any traffic from them?  By default your wan blocks all traffic anyway that is not in answer to a state or forwarded/allowed in.  So blocking bogon only would be valid in blocking to what you have opened.  How much traffic do you think that is going to be?  And since its not routable anyway.. It could only come from your isp network, Or a spoof that could never seen the return traffic anyway, etc.


  • Netgate

    On LAN just make all your pass rules source LAN net if not something more specific depending on your requirements and leave block private networks and bogons unchecked on the interface.

    That will source-limit your LAN to only those IP addresses and traffic from other private networks and any bogons, should any happen to occur, will be blocked by the default rule.



  • Thank you guys for the explaination,
    MER your answer explains more to me thank so much.
    now i understand those two options there.
    much appreciate it guys.
    Block Private networks only if the PFSENSE recieving the IP on the WAN side directly from the ISP and it makes sense to block the private network and begon networks.

    thank you guys



  • No problem.  It always helps me to draw a picture of the network, which addresses on which interface.  The other thing to remember is default deny.  Don't over complicate things, remember "unless I allow it, it should be blocked".  The default set of rules (take out or disable all the user ones on all interfaces) is beautiful in a geeky way:  everything originating on WAN inbound is denied, everything on LAN outbound is allowed so the only thing inbound on WAN should be a response to an outbound LAN.  People tend to over complicate it.  Get familiar with packet sniffing on different interfaces.  Setting these things up is not too hard, but very hard to do correctly/well. 
    Lots of credit to the people who put in the  effort to making it easier to use.



  • @cyberbot:

    Hi guys,
    i was wondering if someone can explain to me if possible to turn those options on on the wan and lan side

    Block private networks ?
    Block bogon networks ?

    Thank you

    If the pfSense WAN interface is internet facing then both Block private networks and Block bogon networks can be enabled.  A matter of opinion whether or not they should be or need to be and their value.

    On the LAN that uses any of the private reserved address space it should be obvious that Block private networks would effectively disable the LAN.

    Blocking bogons on the other hand should be okay on the LAN if pfSense does not provide DHCP on the LAN interface.  The bogons list contains the Local Identification networks (0.0.0.0/8) which would block DHCP request from clients.  Though the benefit of blocking bogons sources on the LAN in most situations would be sort of silly.  Why would there be clients on your LAN using bogon address space?

    Remember those lists block in bound packets based on source address.  Should have no affect on either out bound or destination address.