@negate1 Are you referring to WiFi? This is somewhat a large network, with almost a thousand clients connected to Pfsense. Pf is acting as an edge network loadbalancing 4 WANs. Behind Pfsense is an OSPF network with several subnets. An IP in one of the subnets need to follow a schedule where there are times in a day that we need to block from accessing Internet. It is just a simple block rule with a schedule. After we applied the rule, Pf is disconnecting all clients in all subnets every 15min but reconnects them immediately. This is unnoticeable in most internet activities except games and voip. We disabled the rule and everything is back to normal. Is this something a cron job not doing as intended?

@johnpoz Thank you for the clarification

@stephenw10 said in Can't no access to some websites: Because it's statically routed so it may behave differently to a random IP. ok :)

Now my ATV4 has "Fallen in love with 192.168.1.14 TCP:7000" Well i have had it ... Made a deny rule targeting ATV4 -> 192.168.1.0/24 (I dont have that range) , and disabled logging. /Bingo

@viragomann said in Running pfSense 2.4.4 over a KVM VM in PROXMOX 6.1.5.: You will get the best benefits of the processor features, when using host type. This passes all the features of the processor through to the VM, while KVM64 provides only a small amount of common features. For instance, KVM64 doesn't make use of AES-NI, even if your host CPU supports it. with kvm64 you can set extra cpu flags though, including AES. All via proxmox gui.

You could block Facebook using pfBlicker-NG by creating an alias using the ASN for Facebook. YMMV with other Social networks. Or maybe Snort with the openappid-social_networking.rules enabled. [image: 1604395622043-screenshot-2020-11-03-at-09.24.13.png]

@JKnott I was trying to agree with you... :)

I don't think you should create 5 frontends just to access 1 backend webserver, instead you might point the 'internal' DNS to the same public ip where haproxy is already listening.? Or perhaps just point them all to the same LAN1-IP ? Other option might be to create a 5th subnet with a 'virtual' ip-alias 192.168.40.1/24 on the lo0 loopback interface to listen on? That might make your firewall rules a bit simpler..

Hi, now it is working. the second reset as fixed the issue. Thanks

It may simply not be compatible with that utilty then.

yes, now you have an idea of what you need to do, maybe wait for someone with a Draytek that can tell you how to configure it. internet---pppoe ----| ............... modem --- pfsense ---lan

@leadwolf31 , Assalamu alaikum, Shalom, Namaste. Yes you can. I use Pfsense CE (free) with IBM Qradar CE (free). I can even tracked the apps that intruders used. IBM QRadar [image: qradarce-dashboard.png] [image: pfsense-logactivity.png]

Normally very difficult to have any unsolicited inbound traffic. Unless your ISP has setup ports to be sent to your 100.64.x.x IP, or allows for you to request them. Its pretty much the same as your IPs behind your nat router not seeing inbound traffic unless you create a port forward on your router. If you have no need for inbound traffic - say you running a plex server, or hosting httpd, or whatever then not you prob won't have any problems. But if your wanting to say host some online games or something... Then yeah it can be a problem. if you would like to say vpn into your home while your on the road with your phone or laptop or something - then yeah problematic for sure. Do you also have IPv6? If you have IPv6 you could leverage that for the services you want to host off your connection. Problem there is not everyone has IPv6, nor all locations.. Say your on some hotspot at a coffee shop or something and want to vpn to your home - the coffee shop might not have ipv6 for you to use. edit: upon looking I do see you connecting a few times with IPv6 to the forum.. So I would assume you have it - but that could of been off your phone (not using wifi) or something? For example t-mobile, atleast in my region has gone full ipv6 on their data connections. Your phone never gets an IPv4 address other than via wifi. When you want to talk to an IPv4 address you use a NAT64 gateway they have setup.

So you're basically saying Chrome is auto-filling hidden password fields creating the input validation error? That should be fixed in 2.4.5p1 by this: https://redmine.pfsense.org/issues/9864 So, yeah, upgrade! Steve

There is a reason that bridging all your interfaces is not a one check-box type setup in pfSense. Doing that is generally a bad idea! Bridging interfaces makes it behave somewhat like a switch but it is not a switch and if what you want there is a switch then you should just use a switch. Most SOHO routers that use that type of setup are in fact using switch internally. Some of our own appliances have an internal switch and can also be used like that. That aside..... if you are going to the dhcp server setup and there is no tab for br0 it's because br0 isn't assigned with a static IPv4 subnet a dhcp server can be added to. I note also that guide does not mention chnaging the sysctls to filter on the bridge interface rather than it's members which most people would want for this sort of setup. See: https://docs.netgate.com/pfsense/en/latest/bridges/firewall.html Steve

Mmm, weird. Thanks for following up though. Yeah it would be good to know what it was but that's probably not possible at this point. Steve

@user2 , I think you are overly worried, but then again that's your right. Anyway the IP address that you mentioned is related to these IP addresses: IPV4 24.227.211.0/24 64.17.0.0/20 64.20.224.0/19 64.20.224.0/20 66.219.32.0/19 96.47.208.0/20 96.47.209.0/24 192.188.253.0/24 198.252.182.0/24 208.67.240.0/21 208.123.64.0/19 208.123.73.0/24 216.1.112.0/22 IPV6 2610:160::/32

Here this should help https://docs.netgate.com/pfsense/en/latest/nat/process-order.html Outbound nats are evaluated after the firewall rule... I think the confusion comes up when users think nat is evaluated first before firewall rules. -- which is true in the case of port forwards or 1:1 nats, etc. If you have a firewall rule that forces traffic out a gateway.. The nat will be evaluated after that - top down looking for the nat to apply to that traffic.. But the decision for what interface to send it out of has already been made.. So no outbound nat could not change what gateway that traffic would use.

@gregHANSford , I forgot to mention third step turn off your ISP modem for 10 sec. You will get a new ip gateway. Also you can always changing your server host as Steve mentioned. VPN > Openvpn > Clients > Edit > Server host or Address Change it to different host from your VPN provider, with Nordvpn is a bit easier. Just change the digits ch 167 to ch 134. This way you don't have to change your TLS key. [image: recommended-server@2x.webp] @Steve, it's true but I did notice this trick worked, 6 out of 10 connections will use the same ip as monitoring ip.

I'd love a solution to this - see it constantly on my lab SG-3100 - have even pruned it back in terms of packages and still does it :( Same scenario - usually I can SSH in and restart PHP-FPM but other times i have to hard reboot the device. Not the result i was hoping for testing an SG3100 for use at clients :/