So you are doing port forwarding, and you also have a blocking rule present on at least the WAN (ideally also the LAN(s)). It might be the Crowdsec IPv4 & IPv6 rules the plugin installs, or you maybe made the Spamhaus block rules and the Alias to sync the list from their sources.
What you might not realize is happening is, the Port Forward happens BEFORE any firewall rule on the WAN, so, it will forward in and then block on the LAN (if you have your rules blocking there) and this means extra work.
You can block at WAN and not forward!!
Just enable the 'Source' on the Port Forward rule, and set the 'Inverse' option, select your Blocklist (you can make a new list and have it hold multiple other lists that are syncing so you just give yourself one complete list to add to things) and hit save.
Do this on your Outbound NAT as well, just more or less in reverse - do the 'Destination' + 'Inverse' + your Blocklist, enjoy!
See image in attachments to this post! Hope this has helped someone, and happy Routing! Note - I did modify the image to remove my Proxy's Internal IP - so the blank field with no IP in it is only that way because of that.
@jonny5 what a life saver! Thanks a lot.
Here I am, resident guru and one of the most active supporters, and that completely escaped my imagination. Saved a ton of rules and complexity.
I am not a fan of the fact that "pass" in NAT port forward is prioritised over firewall rules. And if you pick "associated firewall rule" that rule goes "from Internet - to internal NAT destination address" which just looks weird to me.
In all other firewalls I used over the last three decades (yes ;-) the order is like
- first allow from Internet to external address port e.g. 443
- then NAT port forward to destination - either in a single UI form (Sidewinder) or in two (Cisco)
Now everything is easy to parse and self-documenting again, at least according to the way I think.
Patrick