• Nat stop working after certificate renewal

    11
    0 Votes
    11 Posts
    197 Views
    N
    @johnpoz THANKS for the detailed respone, my rounter fw it to another router that fw it to a web server I do not see the traffic in the internal router I see the rule on the external router that say it block the traffic , so I do not think it passed the fw agree I do not understand why I see access denied I used edge and chrome (on windows, and chrome on android phone) I do have pfblockgerNG on, but dont think its involved, it is blocking mainly other countries
  • DNS query fails when it failovers

    8
    0 Votes
    8 Posts
    128 Views
    S
    @eeebbune System > Routing > Gateways has a column for Monitoring IP. It defaults to the WAN gateway. If you change it to another IP like 8.8.8.8 then a static route is created for 8.8.8.8 to only use that WAN. (see Diagnostics > Routes) If that WAN is down then you can't get to 8.8.8.8. Because if pfSense could get to it, then it wouldn't know that WAN as down.
  • Firewall rules blocking on interface stopped working

    3
    0 Votes
    3 Posts
    127 Views
    S
    @SteveITS They were not existing connections. In fact the tablets involved were just powered on and connected to the existing WiFi network with the existing firewall rules. It is just that the rules had mysteriously vanished(or anyhow that is exactly how it behaved).
  • I can’t delete settings after a recovary

    5
    0 Votes
    5 Posts
    44 Views
    jlwardJ
    figured it out, it looks like HAproxy is not letting me edit some system setting as when i log in with ip address all works as it should could it be my certificates?
  • IGMP IPV4 endless log-messages / rules not working :(

    22
    0 Votes
    22 Posts
    2k Views
    dennypageD
    @luckman212 said in IGMP IPV4 endless log-messages / rules not working :(: I assume Local is an interface group you created? Yes, sorry I didn't point that out. Yes, I use a "Local" group for controlling a bunch of stuff such as ICMP, IGMP, DNS, NTP, etc. Btw, yes you are correct IGMP is only used for IPv4. It's a habit I guess (and a poor one at that) that I casually choose IPv4/IPv6. For IPv6, ICMP/MLD is what is actually used, but I believe a rule for this is not necessary because the MLD packets do not have the router alert bit set (at least on my Cisco switches, YMMV).
  • Filtering incoming traffic based on IP address and URL

    11
    0 Votes
    11 Posts
    2k Views
    J
    To filter incoming traffic by IP and URL on pfSense, use firewall rules for IP blocking and a proxy or web filter (like Squid) for URL control. pfSense handles IP filtering natively, but URL filtering requires extra tools. For consistent outbound IPs useful in more complex setups you can check here. LightningProxies offers IPv6 proxies with 2× /29 subnet pools, unlimited bandwidth and threads, HTTP/SOCKS5 support, sticky or rotating sessions, IP whitelisting, and global coverage.
  • PHP Error in 25.07

    5
    0 Votes
    5 Posts
    224 Views
    andrzejlsA
    I thought that issue is resolved, but I just started to get same error: ``` [15-Aug-2025 07:21:41 US/Eastern] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528 [15-Aug-2025 07:21:50 US/Eastern] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528e_text Note: pfSense is set to Python mode in DNS/pfBlocker.
  • Outbound ping blocked

    11
    0 Votes
    11 Posts
    392 Views
    R
    @johnpoz Thank you for the hints. I used the command pfctl -sa to grab the complete rule set. There are currently no block rules for icmp traffic and the label "gateway monitoring" cannot be found. So the reboot must have cleared this rule, which seems to imply that it get dynamically generated. The next time this issue reoccurs, I will try the above command again to verify that the blocking rule is in the listing. Indeed, I use the cloudflare IPv6 DNS server address to verify that the IPv6 gateway is up. My internet provider (Xfinity in the US) changed their network early this year, and since then, their IPv6 gateways are not pingable anymore. So I had to choose another address based on recommendation from someone in previous thread on this message board. I do not have much experience with IPv6 either. I just set up the gateway because the internet provider is assigning both IPv4 and IPv6 addresses. If I were not a little OCD, I would perhaps ignore it. But understanding the issue would be useful for my education.
  • 0 Votes
    5 Posts
    207 Views
    C
    @Bob.Dig said in After upgrading to 25.07 (6100) Strange empty firewall rules blocking UDP / no port: @conover Probably the same way you do it for "the new" IGMP logs, you create a block rule if this should be blocked, it is blocked right now, and make it no-log. Good point - thanks (wasnt aware of the new "IGMP rules"). But the log for the blocked rules do not say for which UDP port(s) the blocking is.
  • Change in IPv6 NAT port forwarding behaviour in 25.07 versus 24.11

    4
    0 Votes
    4 Posts
    175 Views
    Bob.DigB
    @ChrisJenk It doesn't make much sense to me what you(?) wrote in the start post. So I am with @JKnott on this one, better do it right in the first place before others have to explain to you how to do it "the old way".
  • Blocked internet but it's still "Kind of" working

    20
    0 Votes
    20 Posts
    527 Views
    C
    @pwood999 I will keep this advise in my parenting note pad and apply it in a couple years. I like it!
  • Traffic blocked by default deny rule (1000000103) after Starlink reboots.

    1
    0 Votes
    1 Posts
    112 Views
    No one has replied
  • DHCP over filtering bridge stopped working after upgrade to 2.8.0

    bridging
    1
    0 Votes
    1 Posts
    32 Views
    No one has replied
  • FW allowing traffic without rule

    1
    0 Votes
    1 Posts
    97 Views
    No one has replied
  • Is it possible to show the content/ip of a host alias?

    7
    0 Votes
    7 Posts
    257 Views
    S
    @SteveITS yes it look like, but I have actual filterdns log entries im my log.
  • LDAPS 636 problems with pfsense

    10
    0 Votes
    10 Posts
    240 Views
    P
    @mcury I changed back to 389 and same problem now, BIND failed connection ok. I have configured 60-70 pfsense without any problem in LDAPS I have windows serevr 2025 and also disable LDAP required signing.
  • Rules to make Spotify happy?

    7
    0 Votes
    7 Posts
    677 Views
    S
    Thanks, that’s really useful! :) I’ve tried using aliases a few times before, but I’ll make an effort to use them more often. Just set one up for Spotify Premium https://seruapk.com/spotify/ now... :)
  • This topic is deleted!

    1
    0 Votes
    1 Posts
    14 Views
    No one has replied
  • Interfaces dissapiered in firewall rules

    10
    0 Votes
    10 Posts
    326 Views
    johnpozJ
    @GeorgeCZ58 Looks like a feature to me - once you reach so many interfaces/rows of them in the gui its better to switch over to a drop down..
  • Some traffic between VLANs blocked after upgrade to 2.8.0/1

    9
    0 Votes
    9 Posts
    275 Views
    johnpozJ
    @Fredish well where I would look is that rule @39 you didn't create.. So if I look in my rules. I don't show that specific number but same rid I see this rule. I am not using floating states. [24.11-RELEASE][admin@sg4860.home.arpa]/var/etc: cat /tmp/rules.debug | grep 1000003570 antispoof for $WLAN ridentifier 1000003570 If I then track that down with pfctl -vvsr I find rules like this.. here is some for vlans @98 block drop in on ! igb2.4 inet from 192.168.4.0/24 to any ridentifier 1000007770 @104 block drop in on ! igb2.6 inet from 192.168.6.0/24 to any ridentifier 1000008820 @110 block drop in on ! igb4.1011 inet from 10.1.1.0/24 to any ridentifier 1000009870 Which are exactly like the rule you showed your traffic matching on with the ! (not) statement and the network on that vlan. Here is the one for the rule that machines the same rid as yours @81 block drop in on ! igb2 inet from 192.168.2.0/24 to any ridentifier 1000003570 So from what you posted.. Like I said before you have source traffic hitting your vlan 20 interface that is not from the 10.1.20 network - in correctly isolated vlans this should never be possible. Could be issue with multihomed device sending its return traffic out different interface. Could be tagging issue in your switching infrastructure be that physical switching or virtual switches/port groups, etc. But normally it should not be possible for some different source IP to be inbound into a pfsense interface on a different network. With floating states pfsense is allowing this, when to be honest it shouldn't really - unless for some reason as they mention you have a asymmetrical because you have to for some reason?? The only time you should see different source IPs on an interface would be on a transit/connector network that you are routing downstream networks through. So I would look there - why is that traffic hitting your em0.20 interface when the source IP is not in the 10.1.20 network? if I were to guess I would assume something wrong in your virtual switching setup where tags are not being handled correctly.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.