RFC1918 without VPN-range in pfSense

Can anyone give some help ?
I cannot enable the RFC1918 block on the LAN rule because I need to allow traffic from the VPN provider and local LAN traffic.

Adresses that need to pass are /16. The local LAN is

I want to create an alias that allows these adresses but no others. Any suggestions would be greatly appreciated.

You don’t want to enable that on your LAN interface, just your WAN interface.

There’s no sense blocking private networks on a private network.

I’m not exactly sure what you’re trying to do.

Thanks for your reply. I want a rule with logging when any of the RFC1918 ranges leave the LAN.

I have created an alias with prohibited ranges and I want to add excluding and my LAN range.

I’m looking for the best way to translate this in a limited number of IP ranges.


The only source traffic that can leave the LAN is traffic from the LAN subnet, and you will not be able to have any of those private ranges as a destination because they’re not globally routable, so it’s not really something you need to configure.

But if you want to do it anyway, have a rule blocking or rejecting from any to this alias and then above it make an allow rule for whatever you want to allow. you will need an allow any to any rule at the bottom so you can still access the internet and you’ll need a rule at the top allowing access to the router or you will lock yourself out.

If your VPN is a VPN service and not a remote network you want to connect to then you do not need to allow access from the LAN to the VPN subnet.

Really you’re fine with the default allow any to any rule.

1 Like