@Gertjan thanks for the reply!

@Bob-Dig does make a good point. The "I have a problem" posts related to filterdns have decreased quite a bit since the big update in 2022.

You don't state the pfSense version you are running in your post. Are you on the latest 2.7.2 CE version or do you have pfSense Plus 24.11? Judging from the decrease in posts about FQDN resolution, the newest pfSense versions with the updated filterdns daemon seem to be working better.

Solved! I had missed the "allow IP" function for IPV4 traffic as well as the standalone IGMP rule. As soon as i enabled that it worked straight away!

@mvhcr its not a bad little switch for price and size.. But after playing with it couple years back I think I couldn't find a use in my network. So just threw it on the shelf and figured hey never know when a poe powered capable with vlan support switch might come in handy ;)

Then awhile back I noticed in my sg300-10 logs an interface bouncing on reg basis, it was only for a couple of seconds.. And I wasn't really noticing any issues with viewing my camera feeds directly, etc.

But then dawned on me - hey that nvr is prob doing something trying to get poe working because it really expects a poe camera to be on the port.. So I put the little mini between with it being powered by the nvr and all the resets on the interface went away on my sg300 and now sending 1000s of pings never lost one, before I was loosing a couple of pings every minute or 2, etc.

But yeah unifi has changed some things over the last couple of years on how you do a "trunk" port.. Not really a fan of how they do switching.. Which was another reason I really didn't feel a need to incorporate that flex mini into my network.

And you can't really do just specific vlans - its all or nothing. I believe on some of their higher end switches you can customize what vlans are allowed over the trunk - see that custom in my above pic - which is greyed out on the mini.

I might try and leave the mini in my controller - but have to figure out how to get it to get an IP from the vlan my controller is on vs the nvr dhcp server.. Curious if I set it to static if that will survive a power cycle - then I could remove the usb power and just leave it poe powered ;)

@securvark said in Fields for IPv6 logging entries:

IPv6 ICMP
regular expression: ^filterlog:\s+.,(in|out),6,.,ICMPv6,.*$

RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,Protocol,ProtocolID,Length,SourceIP,DestIP,UnknownFld

Sorry for replying to an old thread - but I found this useful just now when setting up my Graylog extractors.

I did spot an error - pointing it out in case someone else comes across this post in the future.

IPv6 ICMP should be:

RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,Class,FlowLabel,HopLimit,Protocol,ProtocolID,Length,SourceIP,DestIP,UnknownFld

Here is an example log entry from a ping6 through the firewall (with the IPv6 addresses obfuscated for my privacy):

197,,,1657748622,igb1,match,pass,in,6,0x00,0x50900,55,ICMPv6,58,64,ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff,eeee:eeee:eeee:eeee:eeee:eeee:eeee:eeee,

@johnpoz super!
you helped my a lot.I will have a look to pfblocker and I check the alias again.

Thanks for help!
Stefan

@flat4 said in Why PfSense blocks sites on computers put Not on cell phones?:

turn on airplane mode

Which turns off all the radios : bleutooth, Wifi, Cell, NFC etc etc.
Wouldn't that block everything ?

@cobca said in Why PfSense blocks sites on computers put Not on cell phones?:

blocks sites on computers put Not on cell phones?

Easy to check.
Select the SSID you connected to. You'll find your IP, the gateway (pfSense) and ..... (roll the drumes) : the DNS used. If its not pfSense, that it isn't using pfSense, so pfBlocker never 'sees' these request.
And be aware : programs, like browers on computers and cell phones can use the system's DNS (the one you just saw) or use their OWN DNS settings. So : check these to ^^

@maltepk
You didn't even add a rule to allow this?
pfSense is a firewall! 🙄

@bars0um It’s a bad one yeah, but there was a patch via System Patches IIRC, and a few releases since then.

@youngy said in NTP: a Windows PC can't get time from pfSense. Other devices are okay.:

Lesson learnt.

I would prob actually validate time sync is going to where you want, either directly pointing to pfsense which is always prob the best idea vs redirect. And working, or via your redirect.

I had some stupid iot devices (wifi light bulbs) that were pointing to pool address, not even in my country.. had some using uk.pool.ntp.org, which makes zero sense because they were bought in the states.. Someone messed up and didn't alter the code for regions they were going to be sold, etc..

So I just set a host override to point uk.pool.ntp.org to my ntp server.

A sniff (packet capture) for ntp will give great info that clients who clients are asking, and if being redirected, etc. you should see the client query and then response.

@JustinSims Here is the bug report.

https://redmine.pfsense.org/issues/15924

Guys, just go check out ADAM:one from the adam networks team. Install it on your pfsense box, and take control of your network, with full l2 visibility to each endpoint. You can have a default deny all policy for new devices (MACs) and you can also just not allow random macs, although this can be done natively in pfsense. If people spoof a mac, they will just be an unknown device, with no access to what they shouldnt have.

go read this article, the guy who founded adam networks replies to the thread at the end.
https://forums.lawrencesystems.com/t/convert-pfsense-into-l7-fw-adam-networks/19226

@kilasin said in Cannot Open Ports:

i live in the woods pretty much so no other choice with Starlink

They got you covered 😊
.... and use the same approach as many ISP did in the past.
You want a WAN IP that you can reach from the Internet, so you can NAT addresses and ports.
As IPv4 is a very expensive resource these days, your wallet will be the solution.

Look here :

starlink static WAN IP ?

A little bit lower on the page I saw :

dff9dab2-6cd5-4b02-8288-ebddff655cb8-image.png

So ... go "Business" would be a solution....

@Gertjan said in Unknown connection:

You use a pfSense. You're good.
No traffic (that you don't want to) can come into WAN, whatever the source is. So, RFC1918, or something else, you don't care.

Yea, I'm in love with pfSense, are you?

@SteveITS @kiokoman Just wanted to thank you for all of your help. Everything is working as planned and I have a better understanding of how this works and how to troubleshoot. I am sure we will cross paths again and look forward to future insights.