@jonnetg I'm doing the same, it just better to limit all traffic as most websites don't need that much bandwidth.
It's almost impossible to create an aliase for YouTube.
i managed to do it but sooner or later the ips will change.

No problems. A pity that the oracle side is such a downgrade in security... SHA1 and anything smaller then 3k in PFS Key Groups should be shamed in 2019. And we haven't even talked about supporting AES-GCM yet... 🤦

Anyway nice you got it working with that.

Cheers,
Jens

Thank you very much. Very informative

Like I said not going to hurt anything... But amount of places that actually have those ports open at the isp level is not very much.. More an exercise in how to do it more than actual security..

Here is from one of my vps box out of the net

Starting Nmap 7.01 ( https://nmap.org ) at 2019-06-02 09:54 CDT Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.015s latency). Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f Not shown: 1022 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 1.96 seconds

Here is from my home connection

Starting Nmap 7.01 ( https://nmap.org ) at 2019-06-02 09:48 CDT Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.062s latency). Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f Not shown: 1012 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp filtered smtp 55/tcp filtered isi-gl 67/tcp filtered dhcps 77/tcp filtered priv-rje 80/tcp open http 135/tcp filtered msrpc 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 496/tcp filtered pim-rp-disc Nmap done: 1 IP address (1 host up) scanned in 322.31 seconds

As you see 25 blocked by isp as well.. Home connections that is almost always blocked as well.. But if your on some sort of fiber...

You can't reach the 192.168.2.1 gateway from this 192.168.3.0/24 network.
Add one more network card to your pfSense or use VLANs to create these Interfaces virtually separated. You need a capable VLAN Switch then though.

-Rico

Sorry, the txt image is a liitle broken. Right picture is here:

@Gertjan Hello, thanks for commenting. I had set it to 8.8.8.8 to test if I can get to ping to google. At the time I didn't trust the router. Thanks to your comment I have changed my dns to my router and it worked fine.

8fb612f3-17f0-40bb-b8a7-2e8f577c5bef-image.png

The rules for lan are ok now because I can go to the internet.

In that case I would BLOCK LOCAL_SUBNETS then PASS ANY

@johnpoz OK it's noted.
However, we have other server that is in this range of address: 10.1..1.x, how to do not saturate Chimpanzee switch requests that will be issued by other hosts who want to reach the other server via this chimpanzee switch?