pfSense

The "Static route filtering" option (under System -> Advanced) doesn't account for packets entering and leaving the same interface when that interface goes to the default route.

While it's possible for a user to add a rule to pass in traffic on the WAN interface from the wan subnet to any statelessly, it's not possible to create a corresponding stateless outgoing rule (since the pass out rule is stateful and specifies on S/SA flags).

For our install, I modified the end of the filter_rules_generate() function with the following, although this codes doesn't handle certain situations (such as when the default route isn't present on the WAN interface, or multi-wan setups).

$ipfrules .= <<&lt;EOD

1. IMSpector
   anchor "imspector"

1. uPnPd
   anchor "miniupnpd"

1. default deny rules
   #---------------------------------------------------------------------------
   block in $log quick all label "Default deny rule"
   block out $log quick all label "Default deny rule"

if (isset($config['filter']['bypassstaticroutes'])) {
                $wansa = gen_subnet($wancfg['ipaddr'], $wancfg['subnet']);
                $wansn = $wancfg['subnet'];
                $ipfrules .= "pass out quick on $wanif inet from $wansa/$wansn to any no state label \"pass traffic between local wan subnet and the default route\" \n";
        }

$ipfrules .= <<&lt;EOD
#---------------------------------------------------------------------------

EOD;

return $ipfrules;
}