• PHP Error in 25.07

    5
    0 Votes
    5 Posts
    105 Views
    andrzejlsA
    I thought that issue is resolved, but I just started to get same error: ``` [15-Aug-2025 07:21:41 US/Eastern] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528 [15-Aug-2025 07:21:50 US/Eastern] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528e_text Note: pfSense is set to Python mode in DNS/pfBlocker.
  • Outbound ping blocked

    11
    0 Votes
    11 Posts
    264 Views
    R
    @johnpoz Thank you for the hints. I used the command pfctl -sa to grab the complete rule set. There are currently no block rules for icmp traffic and the label "gateway monitoring" cannot be found. So the reboot must have cleared this rule, which seems to imply that it get dynamically generated. The next time this issue reoccurs, I will try the above command again to verify that the blocking rule is in the listing. Indeed, I use the cloudflare IPv6 DNS server address to verify that the IPv6 gateway is up. My internet provider (Xfinity in the US) changed their network early this year, and since then, their IPv6 gateways are not pingable anymore. So I had to choose another address based on recommendation from someone in previous thread on this message board. I do not have much experience with IPv6 either. I just set up the gateway because the internet provider is assigning both IPv4 and IPv6 addresses. If I were not a little OCD, I would perhaps ignore it. But understanding the issue would be useful for my education.
  • Filtering incoming traffic based on IP address and URL

    10
    0 Votes
    10 Posts
    1k Views
    P
    Could you simply put the API service on a different port to the public https, and then filter by source IP & destination port ?
  • 0 Votes
    5 Posts
    82 Views
    C
    @Bob.Dig said in After upgrading to 25.07 (6100) Strange empty firewall rules blocking UDP / no port: @conover Probably the same way you do it for "the new" IGMP logs, you create a block rule if this should be blocked, it is blocked right now, and make it no-log. Good point - thanks (wasnt aware of the new "IGMP rules"). But the log for the blocked rules do not say for which UDP port(s) the blocking is.
  • Change in IPv6 NAT port forwarding behaviour in 25.07 versus 24.11

    4
    0 Votes
    4 Posts
    71 Views
    Bob.DigB
    @ChrisJenk It doesn't make much sense to me what you(?) wrote in the start post. So I am with @JKnott on this one, better do it right in the first place before others have to explain to you how to do it "the old way".
  • Blocked internet but it's still "Kind of" working

    20
    0 Votes
    20 Posts
    320 Views
    C
    @pwood999 I will keep this advise in my parenting note pad and apply it in a couple years. I like it!
  • Traffic blocked by default deny rule (1000000103) after Starlink reboots.

    1
    0 Votes
    1 Posts
    45 Views
    No one has replied
  • DHCP over filtering bridge stopped working after upgrade to 2.8.0

    bridging
    1
    0 Votes
    1 Posts
    23 Views
    No one has replied
  • FW allowing traffic without rule

    1
    0 Votes
    1 Posts
    40 Views
    No one has replied
  • Is it possible to show the content/ip of a host alias?

    7
    0 Votes
    7 Posts
    137 Views
    S
    @SteveITS yes it look like, but I have actual filterdns log entries im my log.
  • LDAPS 636 problems with pfsense

    10
    0 Votes
    10 Posts
    130 Views
    P
    @mcury I changed back to 389 and same problem now, BIND failed connection ok. I have configured 60-70 pfsense without any problem in LDAPS I have windows serevr 2025 and also disable LDAP required signing.
  • Rules to make Spotify happy?

    7
    0 Votes
    7 Posts
    562 Views
    S
    Thanks, that’s really useful! :) I’ve tried using aliases a few times before, but I’ll make an effort to use them more often. Just set one up for Spotify Premium https://seruapk.com/spotify/ now... :)
  • This topic is deleted!

    1
    0 Votes
    1 Posts
    14 Views
    No one has replied
  • Interfaces dissapiered in firewall rules

    10
    0 Votes
    10 Posts
    200 Views
    johnpozJ
    @GeorgeCZ58 Looks like a feature to me - once you reach so many interfaces/rows of them in the gui its better to switch over to a drop down..
  • Some traffic between VLANs blocked after upgrade to 2.8.0/1

    9
    0 Votes
    9 Posts
    163 Views
    johnpozJ
    @Fredish well where I would look is that rule @39 you didn't create.. So if I look in my rules. I don't show that specific number but same rid I see this rule. I am not using floating states. [24.11-RELEASE][admin@sg4860.home.arpa]/var/etc: cat /tmp/rules.debug | grep 1000003570 antispoof for $WLAN ridentifier 1000003570 If I then track that down with pfctl -vvsr I find rules like this.. here is some for vlans @98 block drop in on ! igb2.4 inet from 192.168.4.0/24 to any ridentifier 1000007770 @104 block drop in on ! igb2.6 inet from 192.168.6.0/24 to any ridentifier 1000008820 @110 block drop in on ! igb4.1011 inet from 10.1.1.0/24 to any ridentifier 1000009870 Which are exactly like the rule you showed your traffic matching on with the ! (not) statement and the network on that vlan. Here is the one for the rule that machines the same rid as yours @81 block drop in on ! igb2 inet from 192.168.2.0/24 to any ridentifier 1000003570 So from what you posted.. Like I said before you have source traffic hitting your vlan 20 interface that is not from the 10.1.20 network - in correctly isolated vlans this should never be possible. Could be issue with multihomed device sending its return traffic out different interface. Could be tagging issue in your switching infrastructure be that physical switching or virtual switches/port groups, etc. But normally it should not be possible for some different source IP to be inbound into a pfsense interface on a different network. With floating states pfsense is allowing this, when to be honest it shouldn't really - unless for some reason as they mention you have a asymmetrical because you have to for some reason?? The only time you should see different source IPs on an interface would be on a transit/connector network that you are routing downstream networks through. So I would look there - why is that traffic hitting your em0.20 interface when the source IP is not in the 10.1.20 network? if I were to guess I would assume something wrong in your virtual switching setup where tags are not being handled correctly.
  • 0 Votes
    2 Posts
    162 Views
    D
    I managed to resolve my above issue and for anyone ending up with the same question: My issue was caused because of a colleague who added a floating rule, rejecting traffic coming form another alias with logging disabled on that rule. Unfortunately that alias contained a different FQDN that resolved to the same IP of the removed FQDN. What is the important lesson here: Apparently the PF box handles floating rules AFTER interface rules. And since logging of that floating rule was disabled, the firewall log logged the allowed traffic from the interface rule, but blocked the traffic afterwards based on the floating rule with no logging! You end up seeing an allow in your log, but it is blocked in the end! This must be a culprit some else will face one day or another :)
  • Intervlan traffic being blocked

    42
    0 Votes
    42 Posts
    940 Views
    johnpozJ
    @greatbush well you can ping other interfaces on pfsense, just not the 172.16.64 one. At a loss.. You have no floating rules.. And looks like your rule triggered and state are created there in that top rule you posted trying to talk to it. You have no floating rules - and no current vpn tunnels.. Yeah at a loss to what would cause that. Can you talk to any of the other 172.16.x interfaces you have via the route table you sent..
  • Port Forwarding Not Forwarding Traffic To Destination Of VOIP PBX.

    1
    0 Votes
    1 Posts
    58 Views
    No one has replied
  • Firewall rule order is being changed every reboot.

    2
    0 Votes
    2 Posts
    105 Views
    S
    @aaronouthier There was a bug in 24.3/11 where deleting multiple rules would reorder them. There’s a patch. But otherwise no it’s not normal at a reboot. Maybe compare config files before and after?
  • Sudden appearance of SSDP through port 1900 from a public ip

    6
    0 Votes
    6 Posts
    196 Views
    johnpozJ
    @rasputinthegreatest well blocking and not log would just be any any udp to that ff0e::c address or port 1900 anything, etc. And don't have it log. As to the scanners - that is a pfblocker alias I have.. And put that in a floating rule. [image: 1752953863201-scandeny.jpg]
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.