@johnpoz Ok, thanks.

@johnpoz said in Deny outgoing traffic ipv6 for one device/phone:

then not using IPv6 is a very simple solution..

Not using IPv6 is a broken "solution". IPv4 has been inadequate since the day it became necessary to use NAT to get around the address shortage. The world should get off it's butt and move to IPv6, instead of the hack on hack that IPv4 requires. As for 1 application that requires IPv6, take a look at your cell phone. IPv6 is mandatory for 4G & 5G cell networks, as they use VoIP and using IPv4 and all the horseshit it requires would create an unworkable mess. Comcast also moved to IPv6 years ago, because their network was getting too large to manage with IPv4.

I would question the competence of any network professional that thinks IPv4 is good enough.

@SteveITS said in Sanity check for basic firewall rules:

@gld said in Sanity check for basic firewall rules:

rules for the OPTX interface (which are not associated with the firewall)

Then what is it? I'm a bit confused. OPT1/2/3/etc are the default names when adding more interfaces than WAN and LAN. Which some models call PORT1WAN for example. The documentation just assumes you've added OPT1 and need to configure it. You can name it anything, like DMZ or MYLAB.

"OPT1 subnets" would be any subnet assigned to the OPT1 interface.

I was using, as an example, the example in the documentation you referenced. The table in the documentation has the title, "Example firewall rules for isolated LAN type segment". Yes I understand everything you say here.

If you don't have a pass rule for IPV6 then that traffic is not allowed. Each interface has a default block rule.

My understanding is that to allow a subnet get out on the Internet with a IPv6 address there must be an IPv6 pass rule.

If the IPv6 addresses are automatically assigned then no you don't know the IPv6 subnets so using the aliases is probably better than creating your own aliases and having the IPv6 subnets change on you later. "PrivateNets" can be all RFC1918 subnets because those are known.

IPv6 is much easier if you let it be automatic. Add it to WAN, set a prefix delegation request large enough (/57, /60, depends on what your ISP allows) and set the internal interface to Track Interface. Then pfSense will get an IPv6 for WAN, and assign a unique block for the internal interface.

Yes. I was able to get this to work. I eventually got multiple subnets assigned IPv6 addresses. For them to get out to the Internet I had to add a IPv6 pass rule. After that the firewall rules similar to the documentation example you cited and I copied earlier failed to isolate traffic between the subnets I was trying to keep isolated.

I very well might have some significant misunderstandings about IPv6. I will probably take another run at that sometime in the future. For now I'm good.

@SteveITS @kiokoman Hello all just wanted to touch base and let you know all is working well and I have a better handle on how Rules work. I know people tend to disappear when their issues get resolved (guilty) and I wanted to acknowledge your time and expertise in resolving this issue. Thanks again.

@bmeeks

Thank you so much for such detailed explanation. It make sense why all my trials went in vain…

I will not overload the hardware with additional software that may or may not work.

For all of our web faced servers, they are behind a load balancers, and it make sense to use the load balancers to kill such traffic…

Appreciate your help so much

Happy thanksgiving to you, family and all pfSense users ☺️

@NogBadTheBad

made sense, so I tried it, didn't solve the problem, but finally lead me to bump the max table entries under System > Advanced, Firewall/NAT tab which solved the problem.

Thank yo very much.

@killmasta93
well freeradius is built in to pfsense, to me it makes sense to take advantage of already existing service. No I think there are two processes the DHCP will hand out an I{P and then the validation via the radius server would follow.

@Gerard64 Plus 1 as the kids, say 😃

@Gamienator-0 High traffic web sites or content delivery networks will often rotate IP addresses sometimes every minute. That one has a very short TTL:

download.proxmox.com. 61 IN CNAME download.cdn.proxmox.com.
download.cdn.proxmox.com. 12 IN CNAME us.na.cdn.proxmox.com.
us.na.cdn.proxmox.com. 12 IN CNAME na.cdn.proxmox.com.
na.cdn.proxmox.com. 59 IN A 66.70.154.82

pfSense looks up the IP every 5 minutes by default. There will always be a chance the DNS lookup is not the same IP every time you check it, even if it is a few seconds later.

The pfBlocker package can create aliases from ASNs which are basically IP blocks you can look up by company name.

Take a look at the ipquery.io docs

As an update, I have confirmed this works as expected by checking the tables after nesting aliases within aliases within aliases.

I figured it would work, great to know, can really help clean things up in large environments.

@mohkhalifa said in Microsoft 365 and pfSense:

Microsoft created a JSON file includes all M365 firewall rules. Is there any idea to add it to pfSense instead-of creating them manually as they are too much.

Thank you

https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7

we use pfBlockerNG—specifically its (JSON, yes) parser and floating auto-rule creation functionality—to accomplish outbound IP whitelisting to M365/O365 endpoints.

any domains that may need to be whitelisted would need to be done so manually and depend entirely on what's otherwise DNSBL-blocked (if anything) in your environment.

@Gertjan said in Web gui stop working:

The default pfSense LAN IP is 192.168.1.1/24 - that's not a public IP, it's RFC1918 also called ""Block private networks".
On the LAN, the DHCP server is activated.
So, "attach" a device to your LAN, and it will obtain a DHCP lease (IP, network, DNS and gateway) and you can access the pfSense just fine.

Yes I know this way,
You say I use pfsense from a device that is in private network range , OK

So If I use web gui from lan and from a private network so it mean I close wan GUI access, can I use my wan ip fro NAT and other firewall rules like VPN too?

@jimp Dude... You... are.... an... angel!!!!

I totally missed this and would never have thought of looking for this. You nailed it.

I just tried some scps just to see that uploading through the ipsec tunnel immediately failed and was suspecting my fibre provider etc. It was exactly as you suggested. Applying the patches and rebooting brought be back to a workable state and most likely will have solved my sshuttle problems as well.

I honestly cannot thank you enough! Well done mate!

@kprovost let me start out with two things:

Many thanks for your assistance. I really appreciate it. I obviously need more coffee... The target IP was a typo. I have not spotted that earlier since all my tcpdump were filtering for port 2055 only and of course I would have suspected to see outgoing packets of some sort (which I still do not understand why this was not the case).

However after fixing the typo netflows are being received now and I feel extremely stupid for not having that spotted earlier. Many thanks! Apologies!

@Rapho have youo read "Manually editing the configuration > Edit In Place" in the docs?

As in remove the /tmp/config.cache and restart/save/reload the part of the config you changed?