@jonnetg I'm doing the same, it just better to limit all traffic as most websites don't need that much bandwidth. It's almost impossible to create an aliase for YouTube. i managed to do it but sooner or later the ips will change.

No problems. A pity that the oracle side is such a downgrade in security... SHA1 and anything smaller then 3k in PFS Key Groups should be shamed in 2019. And we haven't even talked about supporting AES-GCM yet... Anyway nice you got it working with that. Cheers, Jens

Thank you very much. Very informative

Like I said not going to hurt anything... But amount of places that actually have those ports open at the isp level is not very much.. More an exercise in how to do it more than actual security.. Here is from one of my vps box out of the net Starting Nmap 7.01 ( https://nmap.org ) at 2019-06-02 09:54 CDT Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.015s latency). Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f Not shown: 1022 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 1.96 seconds Here is from my home connection Starting Nmap 7.01 ( https://nmap.org ) at 2019-06-02 09:48 CDT Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.062s latency). Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f Not shown: 1012 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp filtered smtp 55/tcp filtered isi-gl 67/tcp filtered dhcps 77/tcp filtered priv-rje 80/tcp open http 135/tcp filtered msrpc 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 496/tcp filtered pim-rp-disc Nmap done: 1 IP address (1 host up) scanned in 322.31 seconds As you see 25 blocked by isp as well.. Home connections that is almost always blocked as well.. But if your on some sort of fiber...

You can't reach the 192.168.2.1 gateway from this 192.168.3.0/24 network. Add one more network card to your pfSense or use VLANs to create these Interfaces virtually separated. You need a capable VLAN Switch then though. -Rico

Sorry, the txt image is a liitle broken. Right picture is here: 

@Gertjan Hello, thanks for commenting. I had set it to 8.8.8.8 to test if I can get to ping to google. At the time I didn't trust the router. Thanks to your comment I have changed my dns to my router and it worked fine. [image: 1558992321628-8fb612f3-17f0-40bb-b8a7-2e8f577c5bef-image.png] The rules for lan are ok now because I can go to the internet.

In that case I would BLOCK LOCAL_SUBNETS then PASS ANY

@johnpoz OK it's noted. However, we have other server that is in this range of address: 10.1..1.x, how to do not saturate Chimpanzee switch requests that will be issued by other hosts who want to reach the other server via this chimpanzee switch?

Yeah Rico hit it on the head.. Where you can run into problems is when the site could be really any IP owned by the CDN its being hosted on.. So the specific IP you use could change all the time.. And some of these have ttls as short as 60 seconds for example... So when the filterdns process runs (every 5 minutes by default) that populates your alias for www.somedomain.com you get IP 1.2.3.4... But then 3 minutes your client wants to go there and you get 4.5.6.7 which is not in your alias. Even if you put in the whole swath of IPs that are owned by CDN.. you now get sites that you might not want going through the vpn since they are hosted on the same CDN, etc. So while yes you can do it.. Be aware that there could be complications based upon if that fqdn is hosted on CDN..