@Stefan-Milev Bridging is complex and usually slower than a switch. You'd probably be better off just moving it into LAN if that was your goal. Connecting from LAN to a device on another interface is typically not difficult. Off the top of my head: subnet mask correct pfSense is the gateway on both devices no other route between the devices firewall on the server allows connections from the other subnet pfSense LAN allows connection to the other network (it allows to any by default)

@mcury THANK YOU SO MUCH FOR THIS, it solved my issue.

One more item is that I have an interface group called all_interfaces, and have assigned all my interfaces into that group. All my rules are under that interfaces group. Is that why netflow is only showing sync?

@MtMt Also remember, that access to the RDP server is not allowed from outside of the subnet by default in Windows. You have to configure its firewall accordingly.

@jsseb said in PHP Fatal error: .. but they have been in place since day one. For what it's worth : I'm seeing the same thing : [image: 1759300409504-92aa08e1-c0a0-46cf-b8e6-884b5af6d3c4-image.png] which looks like a floating number, but isn't ... I've 16 of them. Using 25.07.1 for weeks now. So, whatever the issue was, this wasn't it.

I use pfblocker for alias management.. While I do have some other just native aliases. I use pfblocker functionality to manage more complex lists. Example - here is my scan deny alias, which contains some asn's and lists from different locations that scan for open ports like shodan, etc.. [image: 1759247068669-scandeny.jpg] And use another list for stuff that need to allow, that might be blocked by list like scan deny - this list contains country based IP lists, and other lists provided by services like plex and monitoring to know if service is up, etc. Which I use to alert me if something goes down. [image: 1759246930777-allow.jpg] I don't really use any of the other features of pfblocker - but I do love its easy management of just native aliases. You can also easy add just 1 off networks/ips etc.. to your alias you create in the bottom custom section [image: 1759247195644-custom.jpg] When bored or whatever I take a look at my firewall log - and notice something scanning but not in my scan deny list, I will look up the details and normally block the whole netblock, etc.

@Gertjan if I run this little bit of php: $file = 'test.txt'; file_put_contents($file, "BLOCK ANY | No internet via this device". PHP_EOL, FILE_APPEND); The piped text is appended just fine to my testfile, so I think the script crash is more related to the code printing the contents of the filter_reload_status file.

@revengineer the trick is to figure out where it is coming from. Not sure how to figure out what could of created it. But would assume if it labeled it gateway monitoring - that has to come from somewhere. It could be a bug that creates a block vs what I would think a better idea of an allow rule, to make sure you could always ping what your wanting to monitor.. But it doesn't make a lot of sense to be honest, since there is already a hidden rule that allows pfsense itself to do whatever it wants outbound. Which is where the monitoring would come from - ie dpinger. # let out anything from the firewall host itself and decrypted IPsec traffic pass out inet all keep state allow-opts ridentifier 1000016215 label "let out anything IPv4 from firewall host itself" pass out inet6 all keep state allow-opts ridentifier 1000016216 label "let out anything IPv6 from firewall host itself" Other thing about the rule that you posted that is odd - is why would it be logged? Have you looked in /tmp/rules.debug - this is a full listing of the rules, and shows the rules pfsense creates on its own that are hidden, like when you enable dhcp server, hidden rules are created on the interface you enable dhcp on so it is sure to work, etc.

@patient0 Hi! Arris and pre-WAN pfSense are set up for the same IP range on their LANs (but of course they're not connected to my main pfSense simultaneously) and my other networks differ -- there is no IP conflict

@aaronouthier To properly support cell phones and devices tethered to them, you should try to set up your PBX to use IPv6, if possible. 4G & 5G phones are IPv6 only and use a translation protocol to send IPv4 over IPv6 networks. Android phones use 464XLAT. I don't know what iPhones use. There's no need for NAT with IPv6.

@louis2 said in Big issues related to Firewall logging.: ... of that a hell of a lot IGMP messages are generated by that rule Overlooked that on. That's a ... euh .. new ;) Since 24.0x or so. Suddenly, IGMP gets logged on rules that don't log. This forum talks (a lot) about it, an what you can do against it.

@SteveITS Thanks I finally go it resolved! It sure would be nice to have a search box on the dashboard ;)

Dude.... I feel dumb. There's a "Remove Shaper" button RIGHT THERE! :-) Clicked it, rebooted and so far the error has not returned to my notifications area. I don't expect it to either, since all the lines about queues are gone from /tmp/rules.debug. Glad I came here. Thanks for hand-holding me along, @SteveITS.

…and for a couple years, give or take, MaxMind has required the additional field/info to update so the geoIP data probably isn’t updating.

@DouggaDit said in pfSense blocking all DNS: The firewall is simply unstable. Integrated network aliases don't function. The firewall simply doesn't work. Rules to allow all on specific ports appear to be the only type of rule that work consistently. Attempting to narrow the 'allow' to specific ip addresses or networks fail. User defined and system defined interface-related aliases don't function. This forum is not a good use of my time. I assume the silence is simply bait to get people to switch to paid support. Safe to file this one under did-a-derp-and-kept-digging.

Fyi, I had previously opened a ticket with the website administrators but have had no reply... until today, after I started this chat. So... they just told me that they're already aware of the issue and it probably has to do with the recaptcha quotas. This website is used by many people so, they probably will have to upgrade the plan. I'm sorry to have taken your time on this, and thank you for that.