@vertigo8 nothing pfsense can do about devices on the same lan talking to or discovering each other.

For that you need to do that on your switch/wireless devices. Switch would be a private vlan. On wifi its called AP or Client isolation.

Pfsense is involved with traffic leaving a network, to be routed somewhere else - it is not able to control what devices do on the local network amongst themselves.

@wayne47 It would be interessting to see your pfsense interface config and frr status. It sounds to me that you have an upstream gateway configured on at least one interface (the one you call wan)

My expirence is that If you want routing to be handled by OSPF you should not have an upstream gateway configured on any of the interfaces receiving ospf routes and naturally also not override routing from firewall rules. If you want you default route to be one of the upstream edgerouters think you will need them to announce a default route.

@mer Thanks for the reply! Your comments got me to thinking which can be dangerous ;-)

I figured out the problem. It has to do with little Windows 10 app that the commercial VPN provides. This app resides in the system tray on the right side of the task bar in Windows 10. The app is used to connect and disconnect from the VPN. With your comments, I had the thought to try to figure out what DNS server windows was using when connected to the VPN and when not connected to the VPN. With a quick google search I found the Windows 10 command prompt nslookup command. Simply entering "nslookup" in a windows command prompt will return the DNS server being used. In my case, when I wasn't connected to the VPN, it returned the ip of my pfSense router. When I was connected to the VPN it returned an ip of a DNS server that belongs to my VPN provider. It seems that everytime you connect to the VPN service using their Windows 10 app, they change your DNS server address to their DNS server. I tried manually changing it back to the ip of my pfSense router but that didn't work when connected to the VPN - in that case I broke internet access altogether and couldn't connect to anything. When connected to the VPN, Windows wasn't able to resolve the local ip of my pfSense router. The solution will have to be to stop using the app provided by the VPN provider so that the DNS server that Windows uses stays pointing to my pfSense router. I had previously setup a gateway associated wiht the commercial VPN provider in my pfSense router. My solution will be to configure pfSense to route traffic from my Windows 10 through the VPN gateway when I want to use the VPN from my Windows 10 pc. Sort of a pain b/c I will have to log in to pfSense every time I want to use (or not use) the VPN. But in this scenario I can use the https://server1name.domain_name.tld paradigm to access my local services from my Windows 10 pc whether or not its WAN traffic is being routed through the VPN. This is because my Windows 10 pc will always be configured to use pfSense for domain name resolution.

@johnpoz I'm not trying to block plex it's just installed on the same computer that blue iris is running on.

I have never really messed with Docker or VMs

I have tried messing with allowing a device on one VLAN to talk to a device on another VLAN but it wasn't working. I'm sure I was doing something wrong.

Do you think the best/easiest route would be to have the plex/blue iris computer on the "Home" VLAN and set up all the cameras on the "ipcamera" VLAN and only let the "ipcamera" VLAN talk to the Plex/blue iris machine IP?

That's what I was going to try but I just wanted to make sure I wasn't going about it the wrong way and end up having to redo everything a different way later.

@nick-loenders ah!!! thanks for the info that keeps my curiosity cat purring nicely ;)

Hello @viragomann

thanks for your reply: I tried it, so I created this entry in my Cisco:

ip route 192.168.106.0 255.255.255.0 192.168.0.30

but can't ping or ssh anything. Any other suggestion? Maybe some configuration on the pfsense side.

--
Regards,

Marco

@kom Thank you! You were correct. It took me a while to find the existing rules and duplicate them for the other two interfaces. I obviously have a lot to learn about pfsense.

I now have one of my two WiFi hubs online so I can start to play with it. This is very different from the iptables that I am used to.

Thanks!

Well you could move the mpls connection to a wan on pfsense sure, but that would still need routing.. You could do something dynamic vs static.. But that can add complexity, so unless your using it for monitoring of path to change routing, or networks come and go all the time.. A hand full of static routes is easier solution.

@alteredstate said in How To Direct Traffic For Specific Website(s) Out Specific Gateway?:

I would be forced to continually disable and enable the VPN firewall destination rule each time I use Disney+.

Just create another wifi network then, when you want to watch Disney, connect to your non vpn wifi. When you want to do whatever else, just switch to your vpn wifi..

I would just watch on my TV to be honest.. Why would anyone watch on little screen when there is a big screen available?

But if your going to be using a device where you want to split traffic vpn and non vpn - then yeah the policy routing is really the only way to do that. It can be problematic - especially if laptop is not using pfsense for dns, say doh..

@viragomann
I can ping google.com, it works just fine.

Indeed, in the logs there seem to be recurring patterns (and I totally missed the flags).

home_ip : my home public ip address server_ip : my server public ip address public_ip : multiple public ip addresses were captured by the filter port : multiple port numbers were captured by the filter

Here is for the Default deny rule IPv4 :

block em0 TCP:PA home_ip:port server_ip:443 (*) block em0 ICMP public_ip server_ip block em0 TCP:S public_ip server_ip:port (mostly port 445) block em0 TCP:A/FA/PA 192.241.206.128:port server_ip:443(**) block em0 TCP:R public_ip:port server_ip:80

(*) this line appears so often that it is difficult to see anything else.
(**) I don't know the 192.241.206.128 address, but it is the only one I have with the A, FA and PA flags

Some traffic is passing :

pass em0 TCP:S server_ip:port 99.86.113.21:443 pass em1 TCP:S 192.168.1.2:46178 99.86.113.21:443 (***) pass em1 TCP:S 192.168.1.101:port 34.122.121.32:80 (32.121.122.34.bc.googleusercontent.com)

(***) 192.168.1.2 is another vm (debian) on the LAN --> no internet as well

In the end, the Default deny rule IPv4 seems to be blocking inbound traffic. I could see that it was mostly blocking ip addresses referenced as abusive.

And I think I have missed something, because I don't see all the LAN activities in the logs (e.g., ping). I am currently working on this issue.

@viragomann
Thank you! That plus a blocking rule to prevent the host from going out the gateway I don't want does the trick.

@stephenw10
Really appreciated for the reply, just disabled "reply-to" from the fw rules and the traffic flows to the right BGP path now.

Sipher

@viragomann

i'll use that than.

thanks again.

solved.