Where are you testing from? Because I'm not seeing hits on any of those rules. The first thing I would do is re-verify that your access ports are in the correct VLAN.

Then, If you only want MUSTERI to access WDSPAYLASIM and nothing else, then remove everything you have and configure an explicit pass rule for:

Source = MUSTERI net
Destination = WDSPAYLASIM net

and be done. Everything else will get blocked by the implicit deny.

@JKnott - Thanks. I will check to be sure the coax is still grounded and that my modem power supply hasn't gone wonky.

@stephenw10 said in how to access a dmz servers from LAN?:

Er I think there's some confusion here

Yeah for sure!!!! Whoever put up that drawing has ZERO!!! understanding of how networking works.. if that is some teacher??? Then just shoot me!!! Our future is failed - we should just give up..

I really do not get how that could be any sort of class - there is zero possible how that someone that is a teacher of networking could put up such a drawing.. If so we are just failed!!!! WTF????

Really - if someone put that up as some sort of test, other than what is F'ing wrong with this drawing... We are all is serious trouble for the future!!!

Assign the parent NIC as a new interface. Enable it, spoof the MAC, leave the IP types set as none.

@johnpoz Thanks for answering. Just a couple of minutes ago I checked with my ISP and it seems they have an option to request unlocking this port. I didn't expect this, as in the past they blocked only port 25. I expect it was this after all.

What would of been creating a source port 0 traffic? That is borked!

I think maybe you would have better discussion in your native language section..

Proxy is just an application/service just like any other be it dhcp, dns, ssh, httpd... it listens on an IP, and then does something with something that talks to it on the port its listening on.. Proxy normally listens on 3128... So client can directly send traffic to the proxy.

Or you can do transparent mode where firewall listens for traffic on say port 80, and then sends it to the proxy port..

Pfsense is not a hardware firewall/router running a very limited IOS sort of OS, like a cisco or juniper or something... It is customized version of freebsd OS, to be easy to use/manage firewall/router - and yes is can provide other services like IDS, dns, dhcp, Proxy, etc.

Editing the config is what I would do there. But I have edited a large number of configs as you might imagine. 😉

You need to include the <switches> and <vlans> sections from the 1100 config in the imported 4860 config as well as renaming the interfaces.

Steve

Set up a site-to-site OpenVPN connection.

Assign the interfaces so that you get reply-to and route-to fucntionality.

Make sure firewall rules that pass the traffic are on the assigned interfaces and NOT on the main OpenVPN tab. If it's passed on the main tab it does not get tagged reply-to.

Add the port forward on the WAN at site A to the LAN IP at site B.

High-5 whoever might be next to you! 😉

Steve

@stephenw10 currently I only have a need for one public ip at the moment. I honestly don’t foresee needing other workstations on my network to have public IP addresses.

The config is different? Or are you actually restoring the config onto both machines?

I would bet it's different.

Steve

You probably need some include files there for the functions involved.

Because it was only introduced in 2.4.4p3. It will be fixed in the next release.

Steve

It logs those by default so if you're not seeing blocked traffic it's probably not being blocked.

Run a pcap on the LAN side then to make sure those packets are leaving going back toward the phone.

Steve

I would just use loopback/localhost for binding unbounds outgoing interface... This way it uses whatever is the default gateway out of pfsense..

This way you don't have to worry about unbound not being able to bind to an interface that might be down

@Jpub, Windows update uses a list of well known domain names, easily found by searching for it, however, what you want and how pfSense works are not quite an exact fit.
pfSense provides layer 3 firewalling capabilities, which means by IP and port only. A URL is a wholly different beast as the IP isn't immediately known, only the name, and based on your initial question, you know that some of the URLs contain wildcards, eg: *.update.microsoft.com, meaning Microsoft is free to put anything in place of the *.
To further complicate matters, many of these URLs resolve to CNAMES which in turn resolve to Akamai's IP addresses, so trying to block / allow by IP will also affect other traffic that coincidentally is also hosted on the same Akamai infrastructure.

There are a couple of ways you could address this issue:

Use a proxy server; in this case the proxy server actually sees the URL so access control can be applied on the URL's name as opposed to its IP address. The firewall can be configured to allow the proxy server out, but not the workstations, thus forcing the traffic through the proxy server.
Caveat: Not all software plays nice with a proxy server.

Use a WSUS server; in this case a system is dedicated to downloading the windows updates and making them available to the local machines. In this case, the firewall can be configured to allow the WSUS server access out while maintaining a more strict access policy toward the Internet.

Sure, create 2 gateway groups.
1st one WAN1 TIER 1 and WAN2 TIER2
2nd one WAN2 TIER 1 AND WAN1 TIER2

Assign as default gateway in the advanced options of the firewall rule.
vlan 1 gatewaygroup 1st
vlan2 gatewaygroup 2nd

Could you please share the solution that solved your issue?
I'm having the same problem right now with a server that was running ESXi before.

EDIT: sorry, I missed the first line :) No ntopng on my pfsense so it must be something else...

I'm getting the data into Splunk but am having a rather difficult time getting fields set, Emerging Threats have been easy to create a regex for using the wizard but the Snort alerts have been throwing a monkeywrench into that by there being an additional, duplicate field in the "Snort Alerts"
https://imgur.com/a/yV0kjbL

You may need to use that Ubiquiti system...pfSense is a firewall, not a payment system is my thinking; however, please wait for others, especially seasoned gurus, to respond.