Found this in the logs

There were error(s) loading the rules: /tmp/rules.debug:57: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [57]: table <bogonsv6> persist file "/etc/bogonsv6"

Increased the Firewall Maximum Table Entries from 400000 to 800000 and was able to do a full filter reload. So apparently I couldn't load all the firewall filters was the root issue.

@Kaetih-Lue
Presumed, the Teltonika accepts pushed routes, you can enter the networks, you want to access at "Local Network/s" in the server settings.
If you only need this single IP enter

192.168.50.101/32

Did you just upgrade?

Those errors are almost always because of mismatch between pfctl and the running kernel.

@snigy is it actually blocked and not https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html ?

Last notice on this: I built a setup with a Sophos XGS which doesn't support wireguard but IPsec. There I could track traffic (but only on non-floating rules!) without any problems, matching on addresses and/or ports.
So it seems to be only wireguard-related.

thank

@Gertjan said in Change TTL to Block Internet Sharing by NetShare or Bluetooth:

@horasjey

Ok did some searching for you.
Found this Change default TTL value

That was true in 2018, nothing, afaik, changed since.

Global answers : pfsense change TTL.

edit :

@Gertjan said in Change TTL to Block Internet Sharing by NetShare or Bluetooth:

Not sure if it possible with pfSense.

That's a long answer for 'dono'.
So how would I be able to answer :

@horasjey said in Change TTL to Block Internet Sharing by NetShare or Bluetooth:

here is the TTL config on the pfsense device sir?

?

thanks @Gertjan

@NOCling Yes, fixed. Thanks.

@SteveITS
Still odd that it seems to KNOW it is in Canada and I did not see the IP range that was being blocked in the list...

Oh well, it is working so that is good.

Cheers,

@tknospdr said in How to read FW rules in plain English:

Packet arrives to my WAN interface and says "I'm here to see PUBLIC_IP in apartment 3290.
NAT rule says, "Hmm they're actually looking for 192.168.2.2 in apt 32400, but before I send them on their way, let's see if the doorman will allow it"
Doorman says "My rulebook says packets from PUBLIC_IP visiting 2.2:3400 are welcome here"

Close !
This order :

Packet arrives to my WAN interface and says "I'm here to see PUBLIC_IP in apartment 3290.
Doorman says "My rulebook says packets from PUBLIC_IP visiting 2.2:3400 are welcome here"
NAT rule says, "Hmm they're actually looking for 192.168.2.2 in apt 32400, but before I send them on their way, let's see if the doorman will allow it"

Where doorman = the WAN firewall rule (created by the NAT rule).
So, first, an incoming packet has to be allowed by this fire wall rule.
The packet can now enter the router and the attached NAT rule will kick in : it will replace the source IP of the packet with the destination IP for the local LAN IP, like 192.168.1.22. If needed, the original destination port number can also be changed, but this is optional. In your case it was originally '32400' and it sated '32400'.
The NAT rule (and firewall rule) is statefull : the answers from the traffic going to 192.168.1.22 will get remapped in reverse, so a bidirectional data stream can take place.

@vettalex said in Problems with rules between networks:

Unfortunately on these devices, it is not possible to set a gateway :(

Here is an example - but you should create another interface/vlan for devices on this 192.168.201.0/24

So for example, I have some IP cameras on a 10.1.1.0/24 network behind my NVR, they all point to the NVR as their gateway 10.1.1.1, but I want to get to these cameras directly from my networks, so I can view the video via rtsp..

So I created a interface on pfsense 10.1.1.253/24 and put this interface into that L2 network... Now when I want to access a camera at 10.1.1.X pfsense knows how to get there, but since since the cameras have no clue how to get to my 192.168.9.0/24 network other than sending to their gateway, the nvr at 10.1.1.1 it wouldn't work.. Same goes if they have no gateway..

So you create an outbound nat on pfsense that says hey when sending traffic to 10.1.1 make it look its coming from your 10.1.1.253 address, so the cameras just think some other device on 10.1.1 is talking to them and talk directly back to it.

outboundnats.jpg

Your comment gave me the bug..., I double-checked my LAN host conf and found out that on the LAN host, there was a static route that was sending packets to the LABO network using the wrong gateway... I'm really sorry to have taken your time for such a stupid thing... thank you very much for your time and your help...

Fixed

once i disable log packets default block rules i could then disable passed rules

reset log files ;)

For the sake of completeness for future search results...

I had an empty interface on my pf box so I brought it up as a separate subnet and moved my TrueNAS server onto it. I updated my firewall alias to point to the new IP address, pointed the other internal subnets' forwarding rules back to the alias, put my split horizon DNS rules back in place, and everything is working as it should.

I know it's academic now, but I'd really LOVE to find out what was causing my issues in the first place.

@johnpoz I don't know. I didn't have any upload issues for 4 days at this point and nothing changed since then.

@Peter-VARGA You can select an interface for "auto" rule generation:
9b26195f-4c0b-43b0-bff0-d6fdb3d31f7d-image.png

@viragomann @SteveITS
Thank you gentlemen!
It works now. viragoman put me in right direction.
No need to open any ports on clients windows FW or anything else, just correct NAT rule.
I have 2 clients in secure dep., one with 3389 and second with 3390 RDP port (have to change default RDP in windows).
Then clone standard NAT rule and just change redirect target and RDP port.
Here is my config, that works.pfSense_NAT.png