Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Basic firewalling questions

    Scheduled Pinned Locked Moved Firewalling
    9 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PFseb
      last edited by

      Hi all,

      Since a couple of days I am playing with my pfsense box (Watchguard XTM520). It runs fine on 2.3 and I configured all services I wanted (and had on my virtual server), like DHCP, DNS, NTP, local Domain.
      However I am still working form behind my "safe" router from my cable provider. I am very much looking towards the moment I can call them and ask them to put that router in bridge mode so my pfsense will do the firewalling.

      However I am running into some questions which I cannot seem to figure out myself easily:
      1. pfSense is default blocking ALL traffc on the WAN port correct?
      2. How can I disable the pfSense GUI on the WAN interface. I already found the following options:

      • Disable webConfigurator anti-lockout rule

      • Disable webConfigurator redirect rule

      However when I enter the WAN IP from within the LAN I am still confronted with the GUI. I want to use port 80 and port 443 for other sides by using port forwarding.
      I also read somewhere about explicitly using a different pfSense port and then using a WAN rule to "block this port".

      If I disable this GUI, is my default box safe enough to connect directly to the WAN or should I take account of different things as well?

      Years back I created my IPTABLES script y hand and at that time I had to explicitly block the access by adding rules.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        By default no connections coming into WAN are allowed.

        If you connect to your WAN IP address webConfigurator from the inside the connection isn't coming into WAN, it's coming into LAN and is passed by, most likely, the default pass any any rule found there.

        https://doc.pfsense.org/index.php/Firewall_Rule_Basics

        https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • P
          PFseb
          last edited by

          So default "out-of-the-box" the pfSense is safe on the WAN side (not a single external connection possible unless e.g. a forward is made).
          So the lockout rule has to be seen as a way to avoid LAN lockout?

          If this is correct I will call my provider to switch my router into bridge mode.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Yes. The anti-lockout rule is for connections coming into LAN from LAN hosts.

            If Firewall > Rules, WAN is empty and you haven't messed around with floating rules, all connections in from WAN will be denied.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • P
              PFseb
              last edited by

              Yep, the only 2 things in there are the:
              Reserved - Not assigned by IANA
              RFC 1918 networks

              And ofc my port forward.
              Which works when using a WAN IP to my personal WAN adres. However how can I create a rule so my local LAN is also able to acces my WAN adres.
              Wordpress and Owncloud both have my IP specified in their config, so to work they need to see the WAN IP?

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

                Split DNS is your preferred solution. Make a host override in DNS resolver pointing to the inside host address.

                If you absolutely must, enable NAT reflection on the firewall rule corresponding to your port forward.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • P
                  PFseb
                  last edited by

                  Based on your response I found this, will read on it and come back when it works OR when I have an additional question :P
                  https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

                  Well after quickly trying and reading further I cam to the conclusion that Split DNS is the best solution but unfortunately not working, because the external WAN is just an IP, so the redirect should be from IP to Internal IP. Split DNS does not work like that (won't accept this).
                  Seems the only solution left is reflection (not yet found why this is good or bad)

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    "because the external WAN is just an IP, so the redirect should be from IP to Internal IP."

                    Huh??  What does that have with split dns??

                    Split dns is when your resolve something to a different IP then you would globally..  so for example you have a fqdn www.somedomain.com, and the world would resolve that to your public IP 1.2.3.4…  Which is the public IP Of pfsense (wan IP)  You forward 80 to some server on your local network, lets say its 192.168.1.100

                    With split dns if you were on the 192.168.1.0/24 network ie behind your pfsense and you wanted to go to www.somedomain.com it would just resolve to 192.168.1.100..

                    If your not using a fqdn to access your server, then just use 192.168.1.100 vs 1.2.3.4

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • P
                      PFseb
                      last edited by

                      John & Derelict: I understand what you are saying, but 15 minutes ago I did not have a "WAN-domain", I always used the WAN IP to access my site and did not have a domain at all connected to it.
                      So split DNS was not working.

                      Just called my provider of my domain en they helped me to set it up. Now I redirect www on domain xyz.com to the internal IP and it works as you both suggested (like a charm) ;)
                      Thanks a lot. I am in the air again :)

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.