Firewalling

• P

  Pfsense blocking Drucva InSync
  • philipo

  16
  0
  Votes
  16
  Posts
  84
  Views

  

  Their docs say they don't use port 80 though.... https://docs.druva.com/001_inSync_Cloud/Cloud/020_Backup_and_Restore/010_Set_up_inSync/010_Configuration/Network_ports Are you using SSL filtering in Squid? A list of server IPs is going to be impractical here. Steve
• D

  Tags not working, gateway down but pfsense still sending traffic over it... firewall basically not working
  • DutchSamurai

  4
  0
  Votes
  4
  Posts
  17
  Views

  D

  @johnpoz Thanks, that was the problem. Did a few quick tests with that setting enabled and now everything appears to be working as intended.
• M

  how can i stop logs for ipv4 IGMP but still log default deny
  • mrwaltman

  15
  0
  Votes
  15
  Posts
  86
  Views

  M

  I contacted the ISP. They have no idea, but it is clearly coming from their side. On a side note, maybe there is a bug in this version of pfSense (2.4.4-RELEASE-p2 (amd64) ) or the device (SG-5100). I tried adding an easy rule, but it was invalid. Turns out I had renamed the interface WAN2, but the logs only show ix0. I changed the name back to ix0, and then the easy pass rule could be made. I enabled logging of the rule, reset states, but no difference. Default Deny still flooded logs. I rebooted device, same thing. I would seem that if an easy rule made on that inferface cannot actually pass the IGMP packets and log them, that there is a problem. Or I could be in error somehow.
• D

  Unable to access single host on LAN from OpenVPN
  • DutchSamurai

  2
  0
  Votes
  2
  Posts
  12
  Views

  

  @dutchsamurai said in Unable to access single host on LAN from OpenVPN: I can access all hosts apart from a single one. So how does that have anything to do with pfsense then? Prob as something as simple as that host running a firewall.
• R

  Block ALL from pfSense box but pass all routing...
  • Rasstace

  4
  0
  Votes
  4
  Posts
  57
  Views

  

  Mmm, yes on the WAN side I guess it's matching after NAT so sees the source as 'this firewall'. I'm not that familiar with the rule order out on WAN it's not something I ever usually deal with. In the opposite direction NAT is applied before the firewall rules. https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-processing-order.html Can we see a screenshot of the rules you added and whatever is showing as blocked in the firewall log? Steve
• M

  LAN net (macro) as Source vs specifying any (*) as Source in a rule
  • moelassus

  4
  0
  Votes
  4
  Posts
  49
  Views

  M

  @stephenw10 Thanks that helps clear up that question.
• B

  Measure DPI perfomance on 10Gbps NICs
  • birdperson

  2
  0
  Votes
  2
  Posts
  47
  Views

  

  You would need to use Snort or Suricata for packet inspection. You might want to use Suricata since it supports in-line mode, in legacy mode at least one packet is passed before the block is set so for something like dig that's probably not going to work well. Assuming your client is going to spoof numerous source IPs that is. Developing that rule is outside the scope of this subsection. Probably best to ask in IPS/IDS. Steve
• S

  Fields for IPv6 logging entries
  • securvark

  4
  0
  Votes
  4
  Posts
  57
  Views

  S

  Oke how about this? I haven't looked at ICMP yet but IPv4 and 6 should be almost correct: Updated: IPv4 TCP regular expression: ^filterlog:\s+.*,(in|out),4,.*,tcp,.*$ Column Headers: RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,ID,Offset,Flags,ProtocolID,Protocol,Length,SourceIP,DestIP,SourcePort,DestPort,DataLength,TCPFlags,Sequence,ACK,Window,URG,Options IPv4 UDP regular expression: ^filterlog:\s+.*,(in|out),4,.*,udp,.*$ RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,ID,Offset,Flags,ProtocolID,Protocol,Length,SourceIP,DestIP,SourcePort,DestPort,DataLength IPv6 TCP regular expression: ^filterlog:\s+.*,(in|out),6,.*,TCP,.*$ RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,Class,FlowLabel,HopLimit,Protocol,ProtocolID,Length,SourceIP,DestIP,SourcePort,DestPort,DataLength,TCPFlags,Sequence,ACK,Window,URG,Options IPv6 UDP regular expression: ^filterlog:\s+.*,(in|out),6,.*,UDP,.*$ RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,Class,FlowLabel,HopLimit,Protocol,ProtocolID,Length,SourceIP,DestIP,SourcePort,DestPort,DataLength IPv4 ICMP Echo regular expression: ^filterlog:\s+.*,(in|out),4,.*,icmp,.*,(request|reply),.*$ RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,ID,Offset,Flags,ProtocolID,Protocol,Length,SourceIP,DestIP,ICMP_Type,ICMP_ID,ICMP_Sequence IPv6 ICMP regular expression: ^filterlog:\s+.*,(in|out),6,.*,ICMPv6,.*$ RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,Protocol,ProtocolID,Length,SourceIP,DestIP,UnknownFld Please correct where I am wrong and fill in the question marks if you can. There's an empty field on ICMPv6, I called it "UnknownFld", because, uh, I don't know what it is . Thanks! PS. If these fields are correct, you may want to update your wiki documentation with it.
• R

  PHP Parse error: syntax error, unexpected ';'
  • rexchow

  3
  0
  Votes
  3
  Posts
  50
  Views

  K

  @mikeisfly Hey it says on Github that this bug has been fixed
• L

  Unable to select gateway in firewall rules.
  • linuxgae

  3
  0
  Votes
  3
  Posts
  48
  Views

  L

  Found it under advanced. Thought I had looked through advanced before. Guess I'm just getting old and tired.
• R

  Firewall Rule to limit IP cameras from getting internet access
  • richtj99

  7
  0
  Votes
  7
  Posts
  114
  Views

  R

  Hi, I have it setup with static IP's for each camera, then each camera has been added into an Alias (Cameras). The only way I could get it working was with the !Lan part of my rule. I dont really understand why that works as it was trial and error to get it working. @akuma1x said in Firewall Rule to limit IP cameras from getting internet access: @richtj99 said in Firewall Rule to limit IP cameras from getting internet access: @akuma1x How do i give them no internet while being on the same subnet/single vlan? This is how I do it: All of these cameras need to have static IP Addresses setup in the DHCP server section for the subnet/network your cameras are on. Then make an Alias for all the cameras. This is found under the Firewall tab up at the top of the screen. Once the alias is made, you can create a single firewall rule, on the subnet/network your cameras are on, and deny it access to the internet. Make this rule the top-most rule in the list, right under the anti-lockout rule. Denying access to the internet is pretty simple, if in fact you want to deny access to ANY external internet service. On that last firewall rule, set your action to reject or block, set the protocol to ANY, your source to single host or alias using the ALIAS you created above, and the destination to ANY. This sets the rule up so no ALIAS traffic leaves the subnet/network, including traffic bound for the internet. Jeff
• F

  Need help setting two WAN IPs to HAProxy
  • Fred83

  2
  0
  Votes
  2
  Posts
  39
  Views

  F

  Turns out my logic was correct, I was just mistaken on the settings for the firewall rule. All traffic from outside to the VIP from all protocols and it is now working.
• I

  google stop working automatically some time(pfsense-2.4.4) .
  • itsupport_debut

  6
  0
  Votes
  6
  Posts
  74
  Views

  

  Ok. Here it is : several thousands of pfSense installations, and yours is blocking "Google". We all have the same code base. Only our settings are different. I propose that you detail your settings / packages, etc. What will work right away : reset to default settings. Activate WAN. Do nothing else. Do not add any packages. Your problem will be solved.
• J

  Easy Question: Block all outside DNS except Pihole
  • jay226

  7
  0
  Votes
  7
  Posts
  85
  Views

  

  His method is cleaner easier to read, and better in the long run. Inverted rules can be useful, and I do use them, they are not for everyone ;)
• 

  Disable or prohibit routing between local subnets
  • morgenstern

  9
  0
  Votes
  9
  Posts
  90
  Views

  

  ping or (icmp) is not tcp/udp ;)
• S

  Single Host Entry Disabled - Why?
  • stevemac00

  3
  0
  Votes
  3
  Posts
  29
  Views

  S

  Agree - seems like a GUI bug. To answer your question, yes in this case I want it limited to a single alias (it's for sync mirroring). I have tried changing back to every menu item and it's always disabled. In fact, all my NAT entries on this device are disabled when I try to change to single host/alias yet on a "matching" device in another location it's fine. If I create a new NAT entry it's also disabled. If nobody knows, I guess I can save a backup, change backup XML and then restore the backup.
• P

  Backup fails with SSL or certificate error during certificate validation behind pfsense firewall
  • philipo

  1
  0
  Votes
  1
  Posts
  24
  Views

  No one has replied

• L

  IPVanish VPN client works, internal network doesn't.
  • lpiatt

  5
  0
  Votes
  5
  Posts
  144
  Views

  L

  I have three interfaces, LAN, WAN and the VPN. All three have these options unchecked. I would like the 192.168.2.* to be able to talk to the 192.168.1.* I decided to change my VPN to NordVPN instead of IPVanish but the results are the same. I followed this how-to to set it up: https://nordvpn.com/tutorials/pfsense/pfsense-openvpn/ My network topology is fairly simple: I have these firewall outbound rules, no other firewall rules have been implemented:
• G

  v2.4.4_p2 Log puts tracker number instead of description
  • gwaitsi

  9
  0
  Votes
  9
  Posts
  60
  Views

  

  And if you don't want to log it who says its still there... Put in a feature request if you want it to put the desc on old log entries that are no longer set to log ;) No future entries will be put in, etc. What if you edited the rule and its ID changed, how would it find the OLD Desc, etc. What if you change the desc, etc.
• T

  Need help with forwarding web trafic to the proxy sever on the network
  • tanja84dk

  8
  0
  Votes
  8
  Posts
  106
  Views

  T

  it still wont work and have even tried to reboot the pfSense earlier today
• G

  FW rule by source network device
  • Gullytrotter

  1
  0
  Votes
  1
  Posts
  44
  Views

  No one has replied

• K

  VLAN Setup Advice
  • kiekar

  3
  0
  Votes
  3
  Posts
  116
  Views

  K

  Hi and thanks for your reply, I recently raised another thread on my setup not working. Thread 140443
• K

  Correct GW for bridged pfSense box
  • krak3n

  4
  0
  Votes
  4
  Posts
  88
  Views

  

  Why can you not just leverage the Mik as AP? Then use pfsense as your edge firewall/router and for routing all your internal segments. This will give you insight and control over your internal network and to and from the internet. Just leverage the Mik as wireless. What specific model do you have?
• Q

  Speech path being blocked after call established
  • Qball

  2
  0
  Votes
  2
  Posts
  79
  Views

  

  @qball Since you're behind NAT, you need to use an STUN server to tell the other end what your real address is. There may also be some issues with maintaining the path through NAT for UDP.
• G

  Firewalling MAC addresses
  • garyd9

  37
  0
  Votes
  37
  Posts
  11889
  Views

  L

  I notice the last response is 2mo old, but... I am using SonicWalls with MAC addresses being used in the rules all the time - for the very reasons that the OP listed, with IPv6 being the more annoying bit for me. Filtering by IP is about as effective as milking a boar. Since I've used pfSense for ages and the SonicWall bits are kinda new to me I had asked an engineer how the Sonicwall does this effectively with such an anemic CPU, and was told that the rules essentially are updated when the MAC goes live on the network with whatever IP(s) the machine has. The documentation I've read for the Sonicwalls I've been managing indicate that they operate very similarly to how pfSense does, aside from not being based on pf. Since we have to record this information anyways and validate against DHCP/ARP, I'm not sure how-come pfSense can't do this? We're running CPUs that are worlds better than the junk in even the expensive Sonicwalls, so even if there was some overhead, I think it should be possible and even feasible. However I will digress in that I am not a programmer, and there may be some code sitting in the way that makes this incredibly expensive to do. It sure as heck would make my life much easier. I could set things to happen based on MAC and not give a crap what IP they have or if they manually set it to something else, or if they're using IPv6 which as stated before by OP and here is ineffective.
• P

  Forward all traffic
  • pavi

  2
  0
  Votes
  2
  Posts
  97
  Views

  

  I'd setup Site to Site VPNs with your home 100/100 as hub, your can route/NAT any traffic inside the tunnels back and forth like you want/need. Which coin are you going to run? -Rico
• S

  error loading the rules: no IP adresss found
  • silfin

  10
  0
  Votes
  10
  Posts
  127
  Views

  

  Have a look at Diagnostics Arp Table and NDP table
• M

  Got a lot of Default deny rule IPv4 (1000000103) from WAN, am I got hack?
  • michaelm0829

  24
  0
  Votes
  24
  Posts
  437
  Views

  

  @derelict said in Got a lot of Default deny rule IPv4 (1000000103) from WAN, am I got hack?: Still have a working (sort of) Altair 8800 in the family. The IMSAI was a better quality clone of the Altair.
• U

  Advice needed - way to give rule descriptions to syslog server
  • user2

  5
  0
  Votes
  5
  Posts
  174
  Views

  

  What about the rule's "tracking id'? You would still have to have to use something like Logstash to match the tracking ids to descriptions though. Your post got me curious so I tried it out. I created a CSV file from this one-liner and used the Logstash Translate filter plugin to map tracking id's to descriptions. As long as the fw rules are fairly stable, it's no too much of a pain. pfctl -vv -sr | grep USER_RULE | sed 's/[^(]*(\([^)]*\).*"USER_RULE: *\([^"]*\).*/"\1",\2/' | sort -t ' ' -k 1,1 -u Here's a screenshot from Elasticsearch alerting on my country blocking rule. Logstash added the description field. note: credit for the sed command goes to this guy on SO.
• S

  Camera VLAN - Firewall rules
  • spatak

  2
  0
  Votes
  2
  Posts
  104
  Views

  S

  OK, nevermind. I sorted through this. Took getting another computer up and onto the camera network to make sure things were working the way I wanted and took a bit to wrap my head around the rules for the camera interface as this was a bit more involved than my IOT implementation.
• T

  Erratic rule behavior for an alias
  • trumee

  3
  0
  Votes
  3
  Posts
  118
  Views

  T

  I decided to use my own dns server as domain override. To test the DNS server i tried it directly, $ nslookup > server 192.168.1.166 Default server: 192.168.1.166 Address: 192.168.1.166#53 > delta37tatasky.akamaized.net Server: 192.168.1.166 Address: 192.168.1.166#53 Non-authoritative answer: delta37tatasky.akamaized.net canonical name = a1279.w10.akamai.net. Name: a1279.w10.akamai.net Address: 122.15.34.35 and it works as seen above. Next i changed the Domain override as follows, But nslookup fails to work $ nslookup > delta37tatasky.akamaized.net ;; Got SERVFAIL reply from 172.16.1.1, trying next server ;; connection timed out; no servers could be reached Any idea what is wrong?
• A

  Firewall rules for Synology apps fail to match traffic
  • alexanderk81

  3
  0
  Votes
  3
  Posts
  95
  Views

  A

  Hi Steve, thank you for your reply. I actually forgot that the NAS still had an active interface in the same network my mobile phone is connected to. Since the phone uses the NAS-IP in the .10 network but both phone and NAS were in the .15 network the TCP connection got messed up. If only Synology would allow to bind sevices to one or more specific interfaces... Anyway, now it's working. Alex
• T

  LAN1 can access computers but not managed switch on LAN2
  • TD22057

  5
  0
  Votes
  5
  Posts
  89
  Views

  

  Yeah better to avoid tagged and untagged traffic on the same interface if you can because of exactly this sort of issue. There's no reason why it shouldn't work but I suspect the switch was not doing the expected thing with the untagged traffic. Steve
• G

  Error Loading Rules
  • gtr2019

  3
  0
  Votes
  3
  Posts
  93
  Views

  K

  @stephenw10 Most likely alias WAN was created Therefore, the error appears It is easy to check just see the output of the command cat /tmp/rules.debug | grep WAN
• R

  Firewall rules tab for non-assigned interface
  • reilos

  9
  0
  Votes
  9
  Posts
  114
  Views

  R

  That's a great link that clarifies some things (my basic understanding in my previous comment seems correct), thanks! Still wrapping my head around the parts in slide 15 & 16. When my loud kids are in bed, i'll check if the video explains that part simple enough for me :)
• Y

  Default deny rule IPv6 (1000000105) - Internet Drops
  • yupq6wlc79ts

  6
  0
  Votes
  6
  Posts
  229
  Views

  K

  @yupq6wlc79ts Tell me more about the problem. And show the output of the command from cli ifconfig -m
• C

  Firewall rules with multiple IPs (ACL)
  • CyberMinion

  4
  0
  Votes
  4
  Posts
  79
  Views

  

  Hi @cyberminion, At Firewall > Aliases, there is an Import button on the bottom. Paste in the aliases to import separated by a carriage return. Common examples are lists of IPs, networks, blacklists, etc. The list may contain IP addresses, with or without CIDR prefix, IP ranges, blank lines (ignored) and an optional description after each IP. e.g.: 172.16.1.2 172.16.0.0/24 10.11.12.100-10.11.12.200 192.168.1.254 Home router 10.20.0.0/16 Office network 10.40.1.10-10.40.1.19 Managed switches Thank you, -James
• 

  firewall log
  • Qinn

  4
  0
  Votes
  4
  Posts
  162
  Views

  

  Sorry, still not grasping it, as the source is not from my private subnet and not on the WAN interface, but a private interface (WLAN) how can it be inbound? Or do you mean, that 192.168.5.68 tries to access and 40.76.xxx.xxx and when 40.76.xx.xx wants to setup a connection it's blocked? I thought established connectings are not been blocked so what default deny rule is it?
• E

  New pfSense vm installed, now port forwards fail
  • eiger3970

  10
  0
  Votes
  10
  Posts
  228
  Views

  E

  Okay, the problem was the router had Firewall rules and no NATs. I deleted all the rules, created NATs and linked rules appeared. Strangely, when I access www.domain.com from inside the LAN, the pfSense login page appears, rather than the website?
• C

  PfSense getting flooded with DHCPv6 requests on WAN
  • cetteup

  2
  0
  Votes
  2
  Posts
  127
  Views

  

  You may not use IPv6, but other devices on that segment might. Capture the traffic and take a closer look at the source. See if it's from a MAC address on your network, or on the ISP gear. It's likely some other client on the same WAN segment making the requests. Depending on how the ISP has constructed their network, it might be another customer on the same segment as you.