Correction #10683
closed
Feedback on Firewall — Preventing RFC1918 Traffic from Exiting a WAN Interface
0%
Description
Feedback:
This part of the page (https://docs.netgate.com/pfsense/en/latest/firewall/preventing-rfc1918-traffic-from-exiting-a-wan-interface.html#steps-to-block-rfc1918-traffic-from-leaving-the-wan-interface) suggests that, by adding this Firewall Alias and Firewall Floating Rule, RFC1918 (and/or additional ranges) can be blocked from exiting WAN.
However, Floating rules are processed after Outbound NAT rules (cf. https://docs.netgate.com/pfsense/en/latest/book/firewall/floating-rules.html#processing-order). Therefore, if Outbound NAT is active (which is typically the case for residential use), the rule mentioned on the page cannot be used for this purpose.
The book suggests tagging/marking incoming LAN packets, and using that mark when processing the outbound traffic.
An extra caveat would be benificial here, e.g. "Warning: the following rule cannot be used in combination with Outbound NAT on the same outgoing interface(s)". Another solution would be to add marking of packets to also support Outgoing NAT.
Updated by 
Updated by