Basic firewalling questions



  • Hi all,

    Since a couple of days I am playing with my pfsense box (Watchguard XTM520). It runs fine on 2.3 and I configured all services I wanted (and had on my virtual server), like DHCP, DNS, NTP, local Domain.
    However I am still working form behind my "safe" router from my cable provider. I am very much looking towards the moment I can call them and ask them to put that router in bridge mode so my pfsense will do the firewalling.

    However I am running into some questions which I cannot seem to figure out myself easily:
    1. pfSense is default blocking ALL traffc on the WAN port correct?
    2. How can I disable the pfSense GUI on the WAN interface. I already found the following options:

    • Disable webConfigurator anti-lockout rule

    • Disable webConfigurator redirect rule

    However when I enter the WAN IP from within the LAN I am still confronted with the GUI. I want to use port 80 and port 443 for other sides by using port forwarding.
    I also read somewhere about explicitly using a different pfSense port and then using a WAN rule to "block this port".

    If I disable this GUI, is my default box safe enough to connect directly to the WAN or should I take account of different things as well?

    Years back I created my IPTABLES script y hand and at that time I had to explicitly block the access by adding rules.


  • LAYER 8 Netgate

    By default no connections coming into WAN are allowed.

    If you connect to your WAN IP address webConfigurator from the inside the connection isn't coming into WAN, it's coming into LAN and is passed by, most likely, the default pass any any rule found there.

    https://doc.pfsense.org/index.php/Firewall_Rule_Basics

    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting



  • So default "out-of-the-box" the pfSense is safe on the WAN side (not a single external connection possible unless e.g. a forward is made).
    So the lockout rule has to be seen as a way to avoid LAN lockout?

    If this is correct I will call my provider to switch my router into bridge mode.


  • LAYER 8 Netgate

    Yes. The anti-lockout rule is for connections coming into LAN from LAN hosts.

    If Firewall > Rules, WAN is empty and you haven't messed around with floating rules, all connections in from WAN will be denied.



  • Yep, the only 2 things in there are the:
    Reserved - Not assigned by IANA
    RFC 1918 networks

    And ofc my port forward.
    Which works when using a WAN IP to my personal WAN adres. However how can I create a rule so my local LAN is also able to acces my WAN adres.
    Wordpress and Owncloud both have my IP specified in their config, so to work they need to see the WAN IP?


  • LAYER 8 Netgate

    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    Split DNS is your preferred solution. Make a host override in DNS resolver pointing to the inside host address.

    If you absolutely must, enable NAT reflection on the firewall rule corresponding to your port forward.



  • Based on your response I found this, will read on it and come back when it works OR when I have an additional question :P
    https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

    Well after quickly trying and reading further I cam to the conclusion that Split DNS is the best solution but unfortunately not working, because the external WAN is just an IP, so the redirect should be from IP to Internal IP. Split DNS does not work like that (won't accept this).
    Seems the only solution left is reflection (not yet found why this is good or bad)


  • LAYER 8 Global Moderator

    "because the external WAN is just an IP, so the redirect should be from IP to Internal IP."

    Huh??  What does that have with split dns??

    Split dns is when your resolve something to a different IP then you would globally..  so for example you have a fqdn www.somedomain.com, and the world would resolve that to your public IP 1.2.3.4…  Which is the public IP Of pfsense (wan IP)  You forward 80 to some server on your local network, lets say its 192.168.1.100

    With split dns if you were on the 192.168.1.0/24 network ie behind your pfsense and you wanted to go to www.somedomain.com it would just resolve to 192.168.1.100..

    If your not using a fqdn to access your server, then just use 192.168.1.100 vs 1.2.3.4



  • John & Derelict: I understand what you are saying, but 15 minutes ago I did not have a "WAN-domain", I always used the WAN IP to access my site and did not have a domain at all connected to it.
    So split DNS was not working.

    Just called my provider of my domain en they helped me to set it up. Now I redirect www on domain xyz.com to the internal IP and it works as you both suggested (like a charm) ;)
    Thanks a lot. I am in the air again :)


Log in to reply