Firewalling

• R

  Firewall Rule to limit IP cameras from getting internet access
  • richtj99

  7
  0
  Votes
  7
  Posts
  102
  Views

  R

  Hi, I have it setup with static IP's for each camera, then each camera has been added into an Alias (Cameras). The only way I could get it working was with the !Lan part of my rule. I dont really understand why that works as it was trial and error to get it working. @akuma1x said in Firewall Rule to limit IP cameras from getting internet access: @richtj99 said in Firewall Rule to limit IP cameras from getting internet access: @akuma1x How do i give them no internet while being on the same subnet/single vlan? This is how I do it: All of these cameras need to have static IP Addresses setup in the DHCP server section for the subnet/network your cameras are on. Then make an Alias for all the cameras. This is found under the Firewall tab up at the top of the screen. Once the alias is made, you can create a single firewall rule, on the subnet/network your cameras are on, and deny it access to the internet. Make this rule the top-most rule in the list, right under the anti-lockout rule. Denying access to the internet is pretty simple, if in fact you want to deny access to ANY external internet service. On that last firewall rule, set your action to reject or block, set the protocol to ANY, your source to single host or alias using the ALIAS you created above, and the destination to ANY. This sets the rule up so no ALIAS traffic leaves the subnet/network, including traffic bound for the internet. Jeff
• M

  how can i stop logs for ipv4 IGMP but still log default deny
  • mrwaltman

  14
  0
  Votes
  14
  Posts
  63
  Views

  M

  Interesting. It's a WiFi connection from the business to the ISP so I have no access to a dsl modem, bit I will pass this along to the ISP and see what they say. Thanks again for your help and time. Much appreciated.
• F

  Need help setting two WAN IPs to HAProxy
  • Fred83

  2
  0
  Votes
  2
  Posts
  36
  Views

  F

  Turns out my logic was correct, I was just mistaken on the settings for the firewall rule. All traffic from outside to the VIP from all protocols and it is now working.
• B

  Measure DPI perfomance on 10Gbps NICs
  • birdperson

  1
  0
  Votes
  1
  Posts
  34
  Views

  No one has replied

• P

  Pfsense blocking Drucva InSync
  • philipo

  1
  0
  Votes
  1
  Posts
  37
  Views

  No one has replied

• I

  google stop working automatically some time(pfsense-2.4.4) .
  • itsupport_debut

  6
  0
  Votes
  6
  Posts
  67
  Views

  

  Ok. Here it is : several thousands of pfSense installations, and yours is blocking "Google". We all have the same code base. Only our settings are different. I propose that you detail your settings / packages, etc. What will work right away : reset to default settings. Activate WAN. Do nothing else. Do not add any packages. Your problem will be solved.
• J

  Easy Question: Block all outside DNS except Pihole
  • jay226

  7
  0
  Votes
  7
  Posts
  76
  Views

  

  His method is cleaner easier to read, and better in the long run. Inverted rules can be useful, and I do use them, they are not for everyone ;)
• 

  Disable or prohibit routing between local subnets
  • morgenstern

  9
  0
  Votes
  9
  Posts
  76
  Views

  

  ping or (icmp) is not tcp/udp ;)
• S

  Single Host Entry Disabled - Why?
  • stevemac00

  3
  0
  Votes
  3
  Posts
  26
  Views

  S

  Agree - seems like a GUI bug. To answer your question, yes in this case I want it limited to a single alias (it's for sync mirroring). I have tried changing back to every menu item and it's always disabled. In fact, all my NAT entries on this device are disabled when I try to change to single host/alias yet on a "matching" device in another location it's fine. If I create a new NAT entry it's also disabled. If nobody knows, I guess I can save a backup, change backup XML and then restore the backup.
• P

  Backup fails with SSL or certificate error during certificate validation behind pfsense firewall
  • philipo

  1
  0
  Votes
  1
  Posts
  19
  Views

  No one has replied

• L

  IPVanish VPN client works, internal network doesn't.
  • lpiatt

  5
  0
  Votes
  5
  Posts
  142
  Views

  L

  I have three interfaces, LAN, WAN and the VPN. All three have these options unchecked. I would like the 192.168.2.* to be able to talk to the 192.168.1.* I decided to change my VPN to NordVPN instead of IPVanish but the results are the same. I followed this how-to to set it up: https://nordvpn.com/tutorials/pfsense/pfsense-openvpn/ My network topology is fairly simple: I have these firewall outbound rules, no other firewall rules have been implemented:
• G

  v2.4.4_p2 Log puts tracker number instead of description
  • gwaitsi

  9
  0
  Votes
  9
  Posts
  48
  Views

  

  And if you don't want to log it who says its still there... Put in a feature request if you want it to put the desc on old log entries that are no longer set to log ;) No future entries will be put in, etc. What if you edited the rule and its ID changed, how would it find the OLD Desc, etc. What if you change the desc, etc.
• T

  Need help with forwarding web trafic to the proxy sever on the network
  • tanja84dk

  8
  0
  Votes
  8
  Posts
  94
  Views

  T

  it still wont work and have even tried to reboot the pfSense earlier today
• G

  FW rule by source network device
  • Gullytrotter

  1
  0
  Votes
  1
  Posts
  39
  Views

  No one has replied

• K

  VLAN Setup Advice
  • kiekar

  3
  0
  Votes
  3
  Posts
  111
  Views

  K

  Hi and thanks for your reply, I recently raised another thread on my setup not working. Thread 140443
• K

  Correct GW for bridged pfSense box
  • krak3n

  4
  0
  Votes
  4
  Posts
  84
  Views

  

  Why can you not just leverage the Mik as AP? Then use pfsense as your edge firewall/router and for routing all your internal segments. This will give you insight and control over your internal network and to and from the internet. Just leverage the Mik as wireless. What specific model do you have?
• Q

  Speech path being blocked after call established
  • Qball

  2
  0
  Votes
  2
  Posts
  76
  Views

  

  @qball Since you're behind NAT, you need to use an STUN server to tell the other end what your real address is. There may also be some issues with maintaining the path through NAT for UDP.
• G

  Firewalling MAC addresses
  • garyd9

  37
  0
  Votes
  37
  Posts
  11839
  Views

  L

  I notice the last response is 2mo old, but... I am using SonicWalls with MAC addresses being used in the rules all the time - for the very reasons that the OP listed, with IPv6 being the more annoying bit for me. Filtering by IP is about as effective as milking a boar. Since I've used pfSense for ages and the SonicWall bits are kinda new to me I had asked an engineer how the Sonicwall does this effectively with such an anemic CPU, and was told that the rules essentially are updated when the MAC goes live on the network with whatever IP(s) the machine has. The documentation I've read for the Sonicwalls I've been managing indicate that they operate very similarly to how pfSense does, aside from not being based on pf. Since we have to record this information anyways and validate against DHCP/ARP, I'm not sure how-come pfSense can't do this? We're running CPUs that are worlds better than the junk in even the expensive Sonicwalls, so even if there was some overhead, I think it should be possible and even feasible. However I will digress in that I am not a programmer, and there may be some code sitting in the way that makes this incredibly expensive to do. It sure as heck would make my life much easier. I could set things to happen based on MAC and not give a crap what IP they have or if they manually set it to something else, or if they're using IPv6 which as stated before by OP and here is ineffective.
• P

  Forward all traffic
  • pavi

  2
  0
  Votes
  2
  Posts
  95
  Views

  

  I'd setup Site to Site VPNs with your home 100/100 as hub, your can route/NAT any traffic inside the tunnels back and forth like you want/need. Which coin are you going to run? -Rico
• S

  error loading the rules: no IP adresss found
  • silfin

  10
  0
  Votes
  10
  Posts
  117
  Views

  

  Have a look at Diagnostics Arp Table and NDP table
• M

  Got a lot of Default deny rule IPv4 (1000000103) from WAN, am I got hack?
  • michaelm0829

  24
  0
  Votes
  24
  Posts
  409
  Views

  

  @derelict said in Got a lot of Default deny rule IPv4 (1000000103) from WAN, am I got hack?: Still have a working (sort of) Altair 8800 in the family. The IMSAI was a better quality clone of the Altair.
• U

  Advice needed - way to give rule descriptions to syslog server
  • user2

  5
  0
  Votes
  5
  Posts
  167
  Views

  

  What about the rule's "tracking id'? You would still have to have to use something like Logstash to match the tracking ids to descriptions though. Your post got me curious so I tried it out. I created a CSV file from this one-liner and used the Logstash Translate filter plugin to map tracking id's to descriptions. As long as the fw rules are fairly stable, it's no too much of a pain. pfctl -vv -sr | grep USER_RULE | sed 's/[^(]*(\([^)]*\).*"USER_RULE: *\([^"]*\).*/"\1",\2/' | sort -t ' ' -k 1,1 -u Here's a screenshot from Elasticsearch alerting on my country blocking rule. Logstash added the description field. note: credit for the sed command goes to this guy on SO.
• S

  Camera VLAN - Firewall rules
  • spatak

  2
  0
  Votes
  2
  Posts
  102
  Views

  S

  OK, nevermind. I sorted through this. Took getting another computer up and onto the camera network to make sure things were working the way I wanted and took a bit to wrap my head around the rules for the camera interface as this was a bit more involved than my IOT implementation.
• T

  Erratic rule behavior for an alias
  • trumee

  3
  0
  Votes
  3
  Posts
  115
  Views

  T

  I decided to use my own dns server as domain override. To test the DNS server i tried it directly, $ nslookup > server 192.168.1.166 Default server: 192.168.1.166 Address: 192.168.1.166#53 > delta37tatasky.akamaized.net Server: 192.168.1.166 Address: 192.168.1.166#53 Non-authoritative answer: delta37tatasky.akamaized.net canonical name = a1279.w10.akamai.net. Name: a1279.w10.akamai.net Address: 122.15.34.35 and it works as seen above. Next i changed the Domain override as follows, But nslookup fails to work $ nslookup > delta37tatasky.akamaized.net ;; Got SERVFAIL reply from 172.16.1.1, trying next server ;; connection timed out; no servers could be reached Any idea what is wrong?
• A

  Firewall rules for Synology apps fail to match traffic
  • alexanderk81

  3
  0
  Votes
  3
  Posts
  91
  Views

  A

  Hi Steve, thank you for your reply. I actually forgot that the NAS still had an active interface in the same network my mobile phone is connected to. Since the phone uses the NAS-IP in the .10 network but both phone and NAS were in the .15 network the TCP connection got messed up. If only Synology would allow to bind sevices to one or more specific interfaces... Anyway, now it's working. Alex
• T

  LAN1 can access computers but not managed switch on LAN2
  • TD22057

  5
  0
  Votes
  5
  Posts
  84
  Views

  

  Yeah better to avoid tagged and untagged traffic on the same interface if you can because of exactly this sort of issue. There's no reason why it shouldn't work but I suspect the switch was not doing the expected thing with the untagged traffic. Steve
• G

  Error Loading Rules
  • gtr2019

  3
  0
  Votes
  3
  Posts
  90
  Views

  K

  @stephenw10 Most likely alias WAN was created Therefore, the error appears It is easy to check just see the output of the command cat /tmp/rules.debug | grep WAN
• R

  Firewall rules tab for non-assigned interface
  • reilos

  9
  0
  Votes
  9
  Posts
  105
  Views

  R

  That's a great link that clarifies some things (my basic understanding in my previous comment seems correct), thanks! Still wrapping my head around the parts in slide 15 & 16. When my loud kids are in bed, i'll check if the video explains that part simple enough for me :)
• Y

  Default deny rule IPv6 (1000000105) - Internet Drops
  • yupq6wlc79ts

  6
  0
  Votes
  6
  Posts
  228
  Views

  K

  @yupq6wlc79ts Tell me more about the problem. And show the output of the command from cli ifconfig -m
• C

  Firewall rules with multiple IPs (ACL)
  • CyberMinion

  4
  0
  Votes
  4
  Posts
  75
  Views

  

  Hi @cyberminion, At Firewall > Aliases, there is an Import button on the bottom. Paste in the aliases to import separated by a carriage return. Common examples are lists of IPs, networks, blacklists, etc. The list may contain IP addresses, with or without CIDR prefix, IP ranges, blank lines (ignored) and an optional description after each IP. e.g.: 172.16.1.2 172.16.0.0/24 10.11.12.100-10.11.12.200 192.168.1.254 Home router 10.20.0.0/16 Office network 10.40.1.10-10.40.1.19 Managed switches Thank you, -James
• 

  firewall log
  • Qinn

  4
  0
  Votes
  4
  Posts
  153
  Views

  

  Sorry, still not grasping it, as the source is not from my private subnet and not on the WAN interface, but a private interface (WLAN) how can it be inbound? Or do you mean, that 192.168.5.68 tries to access and 40.76.xxx.xxx and when 40.76.xx.xx wants to setup a connection it's blocked? I thought established connectings are not been blocked so what default deny rule is it?
• E

  New pfSense vm installed, now port forwards fail
  • eiger3970

  10
  0
  Votes
  10
  Posts
  215
  Views

  E

  Okay, the problem was the router had Firewall rules and no NATs. I deleted all the rules, created NATs and linked rules appeared. Strangely, when I access www.domain.com from inside the LAN, the pfSense login page appears, rather than the website?
• C

  PfSense getting flooded with DHCPv6 requests on WAN
  • cetteup

  2
  0
  Votes
  2
  Posts
  125
  Views

  

  You may not use IPv6, but other devices on that segment might. Capture the traffic and take a closer look at the source. See if it's from a MAC address on your network, or on the ISP gear. It's likely some other client on the same WAN segment making the requests. Depending on how the ISP has constructed their network, it might be another customer on the same segment as you.
• 

  Still weird issues with fragmented IPv6 (DNS) packets 2.4.4-p1
  • sigi

  19
  0
  Votes
  19
  Posts
  442
  Views

  

  @maverick_slo this means not that the same value is ok in your network. Try to go down further....
• N

  pfSense & Smart Outlets
  • newUser2pfSense

  9
  0
  Votes
  9
  Posts
  246
  Views

  N

  bmeeks...Thanks for the reply. I just checked all of my Suricata logs and the DHCP reservation IP address I have set for the smart outlet could not be found. It's good to know Suricata isn't blocking the smart outlet. NogBadTheBad...I do have the latest Apple TV, it's a 4K; I checked the model number - A1842 (64 GB). I wonder though if you have to enable Homekit in the Apple TV? Maybe there is a setting for that? UPDATE - I didn't have two factor authentication enabled on my iPhone. That was the issue. I had no idea you had to have it enabled for it to work. The smart outlets now work while not on my home network.
• Z

  Email Stuck in outbox - Gmail (Resolved)
  • z71prix

  7
  0
  Votes
  7
  Posts
  155
  Views

  Z

  The VPN I use is NORDVPN. Hope this helps.
• G

  Bridge
  • gomap

  4
  0
  Votes
  4
  Posts
  1737
  Views

  P

  Problem Solved. Changed setup to a 2-Interface bridge, with Fixed IP on WAN side. The key change was to enable DHCP Relay, and then allow WAN to Pass UDP Port 67 & 68. Now I can filter Inbound & Outbound in the same way as regular NAT Firewall mode.
• 

  How to monitor and then sizing Advanced Options of a rule?
  • slamdunk

  1
  0
  Votes
  1
  Posts
  64
  Views

  No one has replied

• Z

  NetGear(s) in AP Mode will not communicate on different LANs (Resolved)
  • z71prix

  34
  0
  Votes
  34
  Posts
  310
  Views

  Z

  That resolved the issue!!! You're awesome!!! Communication works now on both AP(s) Thank you so much for your help!! Thank you everyone else as well!!
• A

  Pfsense doesn't apply rules
  • atmega

  14
  0
  Votes
  14
  Posts
  348
  Views

  A

  Hi! I did the next steps: I looked in /etc/inc/util.inc and found the body of function send_message. I saw that function open a file and write a command to this file. If file doesn't exist then function run daemon check_reload_status. 2)But I didn't find the file to writing. I tried manually to run check_reload_status and got error "library libevent-2.0.so.5 not found"!!!! I did next command from comand line ldd /usr/local/sbin/check_reload_status I really saw that library libevent-2.0.so.5 is not found I ran a search of missing library and found other version of library libevent. At the least I created a symbolic link ln -s /usr/local/lib/libevent-2.1.so.6 /usr/local/lib/libevent-2.0.so.5 Now I see that everything works perfectly!!! I rebooted server - everything works! Konstanti! Thanks for your help!