pfSense behind another router. Rules issues

Hello everyone !


I have my ISP router set to bridge mode.
Behind is my OpenWRT router, the WAN ip is my home public ip.
OpenWRT LAN subnet is
I have a pfSense running on XCP-NG, it’s WAN is connected to the OpenWRT LAN network.
pfSense WAN →
I have one LAN and one OPT1 interface. ( and


When I want my pfSense LAN to access the internet I have to set a rule on the LAN to allow any trafic to “any” destination. If I set the rule to only accept “WAN Net” destination I can’t reach external websites like Wikipedia. But I can reach a “Local” website hosted on the WAN ( for example)

What I think is that pfSense understands that (Wikipedia address) is not part of the “WAN Net” since the WAN is from pfSense point of view.

Thank you !

Could you please tell me if understand correctly what’s happening, and a way to solve this issue ?
Because I don’t want to let a rule with “any” as destination.

Than you very much for your help ! :slight_smile:

@Milos Under Interface>WAN did you deselect “Block private networks and loopback addresse” and “Block bogon networks”, this two needs to deselected, if they are left selected you will not access Internet.

Thank you, but no, these are NOT checked :frowning: it comes from somewhere else.

I had your request once with the result that if is not directly reachable on the WAN Net, I had to set the destination of the “WAN Net” port to HTTP/HTTPS for Internet access. The actual filter for the accessibility of Internet resources,services, applications I managed at the Internet router. So my currently 2-tier firewall setup is running and blocking unwanted background noices.

Do not implement a double S-NAT in the network to avoid trouble in routing.

Thank you for your answer, but I’m not sure to understand everything.
I tried to set the rule to “WAN Net” and set the port to HTTPS (443) but as I espected it, it did nothing. The only trick I found is to declare Alias of networks and say “Invert match” when defining the rule in order to allow nothing but the REAL WAN. But I’m not sure if it is a great solution.

I had the same setup before I made pfSense my only Router. Put pfSense in the Router’s DMZ. That way all traffic is directed to pfSense.

Thank you for all your answers

I could solve my issue with the method I explained before.
Create a Network Alias containing all LANs and set a Rule saying all but this Alias.
See pictures :

But now I’m facing another issue, XCP does not want to add more than 7 interfaces to my pfSense…

Have a nice day everyone ! :slight_smile: