That should not apply in this situation as 172.16.0.1 is the internal IP of the outer firewall so, presumably, does not have a gateway and hence also wouldn't have those rules.
It doesn't apply to the inner firewall as that is outbound traffic from a device on the 192.168.9.X subnet which is always allowed.

I assume you are NATing the outbound traffic in the inner firewall, the default configuration?

I would run a packet capture first on the WAN interface of the inner firewall. Filter by host IP 172.16.0.1 and try to access the outer firewall from a client on the 192.168.9.X subnet.

If you see traffic there try the same thing on the outer firewall LAN interface.

Either the outer firewall is blocking that traffic deliberately or it has some touting problem that means it cannot reply. For example perhaps that traffic is not being NAT'd for some reason so it has no route back to 192.168.9.X. The packet cap should show what's happening.

Steve

@steve973 said in Questions about using pfsense to restrict internet content for my kids:

@akuma1x The family shield servers.

Ok, since it's the family shield servers, you can set the kids VLAN to use a DHCP server, and then use the Family Shield DNS servers as the main DNS for that subnet/network. That will lock it up pretty good. That's how I set it at my house, with the kid network.

Jeff

Mmm, it's OpenVPN it should just route between the ends like any other subnet.

The only possible way I could see that doing anything is if you have NAT reflection enabled (on that rule or globally) and the printer in trying to hit port 587 on the public WAN IP.
In that situation it would be reflected back to the mail server over the tunnel. But that would be a misconfiguration on the printer.

Steve

Well, I have some interesting things happening with my routing that I can't explain. I will have to come up with a diagram to show the design and routes to explain the issue.

You can see what can be done in that video hangout at this point:
https://youtu.be/xm_wEezrWf4?t=935

If you were set to splice whitelist and bump everything else I would expect any https not in the whitelist to fail unless you have installed the Squid CA on all the clients.

Steve

@kartoff Sure, if you can reproduce the problem.

The public IP is assigned to a client inside the firewall? On an internal interface?

Are you passing that traffic to it?

If you have allow rules on WAN and enable logging on those rules you will see traffic passed in the firewall log.

There is nothing in pfSense that ever listens on port 110 so either that traffic is being forwarded to something else or you are testing against something else accidentally.

A diagram of how you're testing might help here.

Steve

The first thing do here is make sure you actually need one single layer 2. If a smart TV and media server is indeed what you're using make sure that you can't just enter the IP address directly in the TV. Some can and that would allow you to have two subnets and route between them which would be better for everything else.

Using 1:1 NAT would allow you to keep the same subnet at each end but still route. But the subnets would 'appear' to be different to clients at each end so the auto discover scenario would still fail.

Otherwise you would need to run a single subnet and TAP connection between the sites.

Steve

Where I come from, there is a difference between "insecure" and "potentially less secure"!
If someone (magically) exploited this, he would get access to my network anyway, no matter if I run this on my PC, NAS or pfSense device. At least the pfSense device doesn't hold any data that I would consider sensitive.
Anyway... I think this is going nowhere. I appreciate your concern, but I don't see anyone exploiting this.

Edit:
I replaced The Dell Optiplex 790 completely with a known good one and same crashes, same error message to the letter. The only piece of hardware that was the same was an Intel Pro 1000 NIC. After replacing the NIC the issue is no longer present.

I was incorrect in believing this issue was related to PFSense. PFSense assisted me in discovering bad hardware as did Jimp.

MCA: Bank 3, Status 0xfe00000000800400
MCA: Global Cap 0x0000000000000c09, Status 0x0000000000000004
MCA: Vendor "GenuineIntel", ID 0x206a7, APIC ID 0
MCA: CPU 0 UNCOR PCC OVER internal timer error
MCA: Address 0x3fff805ea790
MCA: Misc 0x3ffff
panic: Unrecoverable machine check exception
cpuid = 0
KDB: enter: panic

You would normally have both private subnets as internal interfaces on pfSense but here you have pfSense inside your network presumably behind some other router for some reason.

Check for blocked traffic when you're using RDP in the firewall log.

Do you have the WAN firewall rules open for all the appropriate ports and destination?

Steve

Single user mode gets you to a shell prompt with far fewer things running/loaded/mounted. So if you have an issue with some component you might be able boot single user mode when the normal boot fails.
Are you able to boot to the prompt by pressing 2 at that menu?

Usually it boots the default selection, which is 1, after a few seocnds there. You should not have to press anything to boot normally.

Steve

Zabbix. There are several agents in the repository.

@bmeeks This was after the crash but before a restart. However, it was only running for a few minutes before I triggered the crash again. For clarity, I just triggered it again. The logs are the same. The last logs were about 30 minutes ago (the exact same as I submitted above), then I triggered the crash. Nothing new was recorded in that log file at the time of the crash.

When blocking is disabled, the crashes seem to never happen and I can't seem to trigger it.

Thank you stephenw
I solved my problem
I don t specify the gateway upstream on wan interface

Mmm, I agree it seems odd. Have you been able to test it in FreeBSD directly?

If it is something we are doing in pfSense we could dig into it but if it's something FreeBSD does it would need to be reported upstream really.

Steve

yes from the same subnet and the register dhcp option was also ticked, the only way i could get it working was to use the DNS Forwarder and at 127.0.0.1 as the 1st dns entry followed by an external dns entry?

I would choose AHCI there if you're going to use a ZFS mirror.

The hardware RAID controller may or may not be supported but they do relatively often give problems. I would avoid that and use a ZFS mirror instead if you can.

Steve