@kirenpillay said in UPNP not detected across 2 private LAN interfaces:

more specific terms

"upnp" is pretty generic (common) indeed - half the planet seems to have a play box thus huge network problems.
But "avahi" is very, enormously unique. Throw this one in any search engines out there and you'll know what it is, does, why it exists. True, what is does is rocket science for the most common mortals, but you're not one them, these days are over. You've installed pfSense ^^

@diehard_02

Normally, I don't use IP block lists, as I don't need a tool that forbids me to go somewhere, if I don't want to go there in the first place.

But ok - let's install pfB_PRI1_v4 :

ee4fdc0a-9804-4b9c-abf9-62c0f0d171b6-image.png

and activate it so it block outbound connections :

80c4f7c2-b068-4e3d-b0bb-a86e8f85d987-image.png

After a Force reload :

c95b3e02-c7e7-4a0d-a9ba-5c0a53d8cb64-image.png

all is set up : I've now a floating rule that blocks all IPv4 addresses/networks that are in the list :

f1edc018-bb9d-48bf-a73a-1d7f49945496-image.png

Let's look at the list : https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

0f44c70c-ca51-43e2-ac92-88649fce2947-image.png

and take the very first IP (IP? not the network !) as an example :

I take a browser, and go to :

2e5e5021-d9de-41fb-9a5e-d17238d825ac-image.png

and sure enough, after some time :

44562a39-7245-4e82-ace1-76fc5d735744-image.png

The pfBlockerng alert tells me the same thing :

d45d24e7-30ac-41c5-b65b-702bf3f97a87-image.png

and under IP Block stats I see the same thing : my PC, 192.168.1.6, was blocked when it tried to access 1.10.16.1 :

53c6353f-7329-4e81-a73b-a7011738b82b-image.png

Ok, I add this IP to the white list of this feed :

Click on the black round +symbol :

f1d49b39-94b8-4b63-b71a-1c40fb03b205-image.png

You are probably asked if a whitelist should be created, and if you want to add a comment, etc.

Now I wind up on this page :

afcd7a72-afcf-4291-ad17-1021dc603c44-image.png

and at the bottom I can see that "10.16.10.1" was added.
Save this page.

When force reloading, I can see that I have the original feed, and the whitelist :

5a12009a-df70-4163-8d6c-3388f47584db-image.png

Sure enough, 10.16.10.1 wasn't a web server, so my browser, still can't connect to it, but this IP isn't blocked anymore.
When I visit it again, the IP block counter doesn't rise = the IP wasn't blocked by pfSense.

edit :

Just to be sure, as this is not a click contest, but we're still managing a firewall the old classic way :

bbb8e55d-8c3e-42e9-b44a-a1534e39b2bb-image.png

Check that the new Whitelist or permit rule is above the block rule.
My white list rule hs taken 'hits' :

ca77e322-0a9c-4ab9-b99e-4438cdec4368-image.png

which means that the rule (with just one IP in it) matched outgoing traffic : that was me trying to contact 10.16.10.1 with my browser.

@bigtfromaz you could maybe limit the outbound nat for only the device you would be coming from lan with. Like your pc... But yeah that works..

If you just add the route as persistent it should survive reboots, upgrades, etc. you shouldn't need a batch to kick off on startup.

I would normally allow ping as a way to validate connectivity..

@Stassz You didn't answer @Gertjan 's question...what version of pfSense are you running???

I figured it out - I should not put my authoritative server under the domain override section because unbound put it in a forward zone and expects a dns resolver. Instead, I switched to a stub zone under custom configuration, which requires an authoritative dns server and unbound will perform recursive lookup itself.

AFAIK pfsense doesn’t support this natively but there is a script that you can run using the cron package that works great for me.

https://forum.netgate.com/topic/137707/auto-update-check-checks-for-updates-to-base-system-packages-and-sends-email-alerts/3

For reference:
https://redmine.pfsense.org/issues/15618

@mkap218 said in Selectively blocking mDNS/Avahi:

It seems like I can't use firewall rules to block mDNS from reaching Avahi since there's no way to filter out individual destinations, right?

Yes, you can use a firewall rule to block inbound mDNS packets to the firewall, which would prevent Avahi on the firewall from seeing them. That would allow you to say that mDNS for host X on VLAN A is not seen on either VLAN B or C.

What you cannot do is to say that host X on VLAN A can be seen by hosts on VLAN B, but not by hosts on VLAN C. By extension, you cannot filter out "_printer._tcp.local" for host X on VLAN A from the advertisements for VLAN B but include it for the advertisements for VLAN C.

SOLVED

It was partly my fault.
When importing the .XML file it configures the Interfaces per default of my other main FW Hardware.
That HW uses different assignment identification than the Netgate, therefore I have mismatched the Interface IDs.

Expl.:
Current HW Interface assignment
Port1 WAN = PPPoE0
Port2 LAN = igb1
Port3 DMZ = igb0
Port4 ANP = igb2

Netgate Interface assignment
Port1 WAN = PPPoE0
Port2 LAN = igc2
Port3 opt1 = igc3
Port4 opt2 = igc0

For future ref. phpmailer is included in the mailreport package

@stephenw10 When you say, "It would be much easier if they can just route the /27 to you via the current WAN IP in the /29..." are you saying that the DC changes the gateway address to be the same for both the /27 and /29 here?

@JonathanLee , @waldo15a Ever since the updates to UPnP a few releases back I have always kept my Outbound NAT to Automatic. If I'm not mistaken, the issue with static ports is being handled correctly by UPnP since the updates.

And in my ACL entries, I only allow for a few necessary ports 3074-3076 and 28960-28964 required by most (all) games.

567c140c-bd6c-49d4-b816-10d354ce597c-image.png

@hspindel

Search the forums

https://forum.netgate.com/topic/38499/set-gateway-and-dns-in-shell

@xman111 said in Internet going down:

I was hoping for an easier way

Well, it's a way. Other might exist.
pfSense uses, as a WAN, an ordinary NIC, the same as your LAN, and other interfaces.
These stay 'up' as long as power is good. No reason an interface would be taken down.
That said, pfSense can take it down for a moment, as there is a process called dpinger that constantly pings a remote host, normally your upstream gateway,n or, as many people do : they chose '8.8.8.8'.
if the pings start to drop, pfSense detects a 'bad' connection, an can reset the WAN.
The moden, as it sees (feels ?) his LAN going down, can re initiate the upstream connection.

Thanks For Sharing Information.

@Gertjan one PPPoE connection for both IPv4 and IPv6. This is the configuration page:
38d93822-7c9c-4eec-868d-9508acf4566a-image.png

@Gertjan thanks, really helpful. Still I don't know why Netgate have not fixed this. Enabling DoT should just be that and not affect anything else.

Try checking the NAT type in each game on your Xbox, like in DayZ or Fallout. Sometimes the game shows a different NAT type than the Xbox settings. If it's showing strict or moderate NAT, that could be the problem.

@sheprador said in Is there a rule to tell pfSense: Allow traffic to the Internet from this interface?:

There is the possibility in pfSense to create a single rule in which I say: "everything that comes from the WiFiGuest Vlan can go to the Internet". (maybe a couple of rules if I have 2 WANs)

Yes !
It's the default rule you've found on the LAN interface when you installed pfSense.

Here are mine :

345324ba-6d5c-40cd-bb67-3ce1021d496c-image.png

Forget about the first rule, it's a NAT NUT rule, useful if you have an UPS.

The second and third rule could be combined into one, but I've split them in 2 so I can see direct "how much IPv4 and how much IPv4". As soon as the IPv4 counters stays at "0" for a while, I can remove and disable IPv4 everywhere ^^