WAN vs LAN Interfaces¶
pfSense® software treats interfaces differently based on whether or not they act as a WAN type interface (e.g. connection to an upstream network) or a LAN type interface (e.g. connection to an internal network). Most traditional interfaces will fall into one of the two categories, with VPN interfaces being more of a gray area.
Note
The NAT portions of this document only refer to IPv4 behavior, not IPv6.
Choosing between WAN and LAN Types¶
The IPv4 Upstream Gateway and IPv6 Upstream Gateway options on the interface configuration control whether the firewall considers an assigned interface as a WAN or LAN type interface.
If an interface has a gateway selected the firewall treats it as a WAN type interface. If an interface does not have a gateway selected the firewall treats as a LAN type interface.
There is no way to change the default behavior of dynamic interface types such as DHCP, PPP, and most assigned VPN interfaces. The GUI hides the gateway options on the interface configuration for these types of interfaces. The behavior of these interfaces is noted in the remainder of this document where relevant.
No matter how the firewall treats an interface by default the firewall behavior can almost always be adjusted through the use of options in the GUI.
WAN Type Interface¶
A WAN type interface is an interface through which the Internet can be reached, directly or indirectly. The firewall treats any interface with a gateway selected on its interface configuration as a WAN type interface. Dynamic IP address interfaces such as DHCP and PPP receive a dynamic gateway automatically and the firewall always considers them WAN interfaces.
For example, a static IP address WAN (e.g. Interfaces > WAN) would typically have a gateway selected such as WAN_GW. If this gateway selection is not present the firewall will treat the interface as a LAN type interface instead.
The firewall behavior changes in several ways for WAN type interfaces:
The firewall performs outbound NAT on traffic exiting a WAN type interface when using Automatic or Hybrid outbound NAT modes.
The firewall will not perform outbound NAT for traffic originating from the subnet(s) directly attached to a WAN type interface when using Automatic or Hybrid outbound NAT modes.
The firewall includes a WAN type interface in the count of WAN interfaces for Multi-WAN features. Some functions are hidden unless the firewall has more than one WAN type interface.
The firewall adds
reply-to
to firewall rules on a WAN type interface which returns packets for connections coming in through that WAN back out via the same WAN where possible.Note
This behavior can be overridden on a per-rule basis using the option on firewall rules or it can be disabled globally on System > Advanced, Firewall & NAT tab.
The firewall adds
route-to
to automatic firewall rules for outbound traffic on a WAN type interface which ensures outbound traffic on the interface is sent to the configured gateway.The traffic shaper wizard treats a WAN type interface as a WAN.
The DNS Resolver will not allow queries from the subnet(s) on a WAN type interface without a manual ACL entry.
LAN Type Interface¶
A LAN type interface is an interface which connects to a local network, for example a LAN, DMZ, management network, guest network, and so on. Typically this also includes site-to-site links used to reach other local or internal networks, such as VPNs and private or dedicated circuits.
The firewall treats any assigned interface without a gateway selected on its interface configuration as a LAN type interface.
Warning
Do not select a gateway on the Interfaces menu entry for local interfaces such as LAN or for site-to-site VPNs.
Local and other interfaces may have a gateway defined under System > Routing so long as that gateway is not selected on its interface configuration.
The firewall behavior changes in several ways for LAN type interfaces:
The firewall will perform outbound NAT for traffic originating from the subnet(s) directly attached to a LAN type interface when that traffic exits a WAN type interface and Automatic or Hybrid outbound NAT mode is active.
If NAT reflection is active the firewall will create NAT reflection rules which allow clients on LAN type interfaces to access port forwards from behind the firewall.
Note
This behavior can be changed on a per-rule basis using the option on NAT rules or it can be controlled globally on System > Advanced, Firewall & NAT tab.
The firewall will not perform outbound NAT on traffic exiting a LAN type interface when using Automatic or Hybrid outbound NAT mode.
The firewall does not add
reply-to
orroute-to
to firewall rules on a LAN type interface.The traffic shaper wizard treats a LAN type interface as a LAN.
The DNS Resolver automatically allows queries from the subnet(s) on a LAN type interface.
VPN Interfaces¶
Assigned IPsec VTI and OpenVPN interfaces are treated differently than traditional interfaces. Most, but not all, of these points also apply to assigned GRE and GIF tunnel interfaces.
VPNs have numerous use cases which are similar to both LAN and WAN type interfaces, and in some cases both. For example a VPN could be for site-to-site links, remote access for mobile clients, or for connecting to the Internet through a VPN provider. The default behavior of the firewall attempts to balance the most common user needs and expectations when handling assigned VPN interfaces.
Note
Currently WireGuard interfaces act similar to traditional interfaces when assigned, so their behavior primarily depends upon whether or not a gateway is selected in their interface configuration.
The firewall treats an assigned VPN interface as a LAN type interface for NAT, which means that it lists the subnets on these interfaces as traffic sources for outbound NAT and it does not perform outbound NAT on traffic exiting these interfaces.
In most cases a user does not expect the firewall to perform NAT on VPN traffic by default. Outbound NAT rules in Hybrid or Manual outbound NAT modes can make the firewall perform outbound NAT if a use case requires NAT.
The firewall treats an assigned VPN interface as a WAN type interface for traffic shaping if a VPN interface is capable of using ALTQ traffic shaping.
The firewall treats an assigned VPN interface as a WAN interface for firewall rule attributes such as
reply-to
androute-to
. This ensures that traffic entering the firewall over a specific VPN connection returns back through the same VPN.The DNS Resolver treats an assigned VPN interface as a LAN interface and allows queries from subnet(s) configured on the VPN.
Note
Firewall features such as per-interface rules, NAT, and reply-to
do not
work with IPsec VTI interfaces by default. The IPsec Filter Mode setting
can allow IPsec VTI interfaces to utilize these features. See
Advanced IPsec Settings.
Verifying an Interface Type¶
There are a couple ways to confirm if the firewall is treating an interface as a WAN or a LAN.
The interface status page (Status > Interfaces) is useful for determining the interface type. For non-VPN interfaces the presence of the Gateway IPv4 and/or Gateway IPv6 attribute on an interface indicates that the firewall considers it as a WAN type interface.
The next easiest method is to check the outbound NAT settings at Firewall > NAT, Outbound tab. Check the Automatic Rules section if the mode is set to Automatic or Hybrid. WAN type interfaces will have rules in the list with their name in the Interface column. LAN type interfaces have their subnets listed in the Source column of each rule.
Note
If the outbound NAT mode is Automatic or Hybrid and there are no entries in the Automatic Rules list, that generally indicates that the firewall has either no WAN type interfaces or no LAN type interfaces. Check the gateway settings on each assigned interface and ensure that all WAN interfaces have a gateway selected and that no LAN interfaces have a gateway selected.
Another method is to start a traffic shaper wizard (Firewall > Traffic Shaper, Wizards tab) and step through until the wizard lists the interfaces. From there, check if an interface is present in either the LAN or WAN interface selection lists.
Note
This method will not work for interface types which do not support ALTQ traffic shaping.