Correction #10683
closedFeedback on Firewall — Preventing RFC1918 Traffic from Exiting a WAN Interface
0%
Description
Feedback:
This part of the page (https://docs.netgate.com/pfsense/en/latest/firewall/preventing-rfc1918-traffic-from-exiting-a-wan-interface.html#steps-to-block-rfc1918-traffic-from-leaving-the-wan-interface) suggests that, by adding this Firewall Alias and Firewall Floating Rule, RFC1918 (and/or additional ranges) can be blocked from exiting WAN.
However, Floating rules are processed after Outbound NAT rules (cf. https://docs.netgate.com/pfsense/en/latest/book/firewall/floating-rules.html#processing-order). Therefore, if Outbound NAT is active (which is typically the case for residential use), the rule mentioned on the page cannot be used for this purpose.
The book suggests tagging/marking incoming LAN packets, and using that mark when processing the outbound traffic.
An extra caveat would be benificial here, e.g. "Warning: the following rule cannot be used in combination with Outbound NAT on the same outgoing interface(s)". Another solution would be to add marking of packets to also support Outgoing NAT.