Firewalling

• C

  Want to Block 1IP from using Internet when VPN goes down
  • comet424  

  18
  0
  Votes
  18
  Posts
  64
  Views

  C

  yes i did what you said like i said it was working When I turned off VPN disabled it the 192.168.0.11 lost internet but trying to reactivate it... wouldnt work and then my entire internet was lost... as you can see i moved Lan Net to the top so it bypass's VPN you see it says its accessing internet yet nothing on the entire network has internet... its like its disabled but only thing i changed was the adding of the policy of Float and the Tag to the specific IP address like i said it was working then i disabled OpenVPN Client so i could see that 192.168.0.11 lost internet... i then tried reactivating my NordVPN client wasnt able to.. i now lost entire internet as it usually just skips the vpn and i uually use the WAN interface... but it isnt doing that... and i cant reconnect but if i roll back to the day before the one i started with... VPN can log in.. i switch back to what we did its like the WAN connection is blocked on the network i have had this kinda issue 3 times out out of the entire year since jan 2018 i noticed... if i send the config file you able to see what its blocking? but here is the rules
• 1

  Outbounding traffic from LAN
  • 19Giugno  

  14
  0
  Votes
  14
  Posts
  47
  Views

  

  @19Giugno said in Outbounding traffic from LAN: adding the pfsense as DNS to the machines make the job! Not adding - ONLY!! You can not point multiple dns that do not resolve the same stuff or your going to have a bad day.
• B

  Google captcha
  • bokikay  

  5
  0
  Votes
  5
  Posts
  80
  Views

  B

  @Gertjan Thank you very much sir. I got it now
• N

  Rules not working as desired on WAN interface
  • njlinuxmike  

  16
  0
  Votes
  16
  Posts
  53
  Views

  

  Yeah if you bridge you can control traffic that flows through the bridge. So yeah if you have input on one switch port that is bridge to the rest of your switch ports - then sure you could filter at the bridge point.
• H

  Firewall blocking live stream
  • higginscomputer  

  8
  0
  Votes
  8
  Posts
  76
  Views

  

  Sorry but being new to pfsense, you should not be installing IPS and Proxy and pfblocker out of the gate! As stated by bmeeks already.. Remove them and ramp up to using those advanced features. IPS for sure is not something you click and run with it. And to be honest pfblocker has become almost too powerful for the less experienced user..
• V

  I want to block some secure websites"like sports, news ,Socialnet".
  • vishantkamboj  

  3
  0
  Votes
  3
  Posts
  34
  Views

  

  Squidguard relies on squid. If you configure squid properly, you can filter HTTPS URLs without needing pfB.
• D

  Allow 1 Opt1 device to access 1 LAN device?
  • Dave07  

  9
  0
  Votes
  9
  Posts
  191
  Views

  

  You can edit the thread title and add solved to it if you so desire.. The time it took you to ask me to do it, you could of done it yourself faster ;)
• A

  [solved]Not sure what this is
  • Actionhenk  

  8
  0
  Votes
  8
  Posts
  39
  Views

  A

  Think I found the cause, there was a floating rule with source this firewall which had a port alias configured with port 443 at the near top of the rule list.
• A

  Automate easyrule from remote host
  • akvadrat  

  4
  0
  Votes
  4
  Posts
  944
  Views

  L

  @akvadrat said in Automate easyrule from remote host: min and not root. Is it not possible to set NOPASSWD when "running as" ad sorry for reply this old post, but i'm lookin for some like this... @akvadrat cant you share your workaround in fail2ban to write or execute the eary rule action... to add and remove the hosts ip address... ad the moddifield maked to pfsense box on sudoers etc .. thanks
• I

  Disable logging for "Default deny rule IPv4"
  firewall • • ibbetsion  

  3
  0
  Votes
  3
  Posts
  44
  Views

  I

  Thanks for the pointer to the settings tab. Dunno how I missed something so obvious!
• R

  [Solved] Can't get SMA solar inverter to communicate
  • rosch  

  23
  0
  Votes
  23
  Posts
  643
  Views

  O

  MIght be worth doing a packet capture on pfSense and opening it up in wireshark and filter on SIP. We are dealing all kinds of solar sma inverter in chennai
• B

  Problems pinging between IPs on a VLAN subnet
  • bwanajag  

  8
  0
  Votes
  8
  Posts
  71
  Views

  

  @bwanajag said in Problems pinging between IPs on a VLAN subnet: I understand clients on the same subnet do not need to route, but I don't understand why that means devices on a given subnet won't respond to pings from another device on the same subnet. pfSense is issuing IP addresses to devices connected to the VLAN (DHCP is working), but I cannot ping those devices from the ping tool within pfSense. Is this normal? One all devices have received their DHCP addresses, you could disconnect pfSense from the network entirely and it should not make a bit of difference between devices on the same subnet. Your problem is with those devices, not pfSense.
• I

  Should "Reserved Networks" be blocked when pfSense is behind an ISP router?
  firewall bogon • • ibbetsion  

  3
  0
  Votes
  3
  Posts
  63
  Views

  

  That is multicast noise most likely from your router it self, ie that 192.168.1.1, which seems odd that is being block by the ULA rule fc00::/7 ? If you do not want the noise, and your behind a nat.. Then either turn off logging of those rules.. Or create rules that specifically block the noise but don't log it.
• I

  Finding devices with hardcoded DNS
  firewall dns nat • • ibbetsion  

  3
  0
  Votes
  3
  Posts
  73
  Views

  I

  @elvisripley Thank you for that invaluable insight. I was able to make a few tweaks based on your guidance (caused lightbulbs to go off in my head!) and I am now able to see the queries!
• C

  Removing spurious rules that don't show in the GUI
  • cwdolphin  

  12
  0
  Votes
  12
  Posts
  57
  Views

  C

  @jimp So the main issue is that I'm getting errors in the GUI There were error(s) loading the rules: /tmp/rules.debug:116: syntax error - The line in question reads [116]: nat on lagg0.22 proto tcp from 192.168.100.0/24 to 1.1.1.1 port -> (lagg0.22) @ 2019-03-13 14:14:38 I assume that this is because the actual port value is missing so whatever is adding the rule is adding it wrongly. The same rule exists further up with the port specified. Assuming all the other rules aren't actually creating any problems despite the fact there is no reflection enabled then there's at least that one.
• K

  Block only google drive upload
  • koko_adams  

  4
  0
  Votes
  4
  Posts
  64
  Views

  A

  If it's as simple as drive.google.com, you could set the Domain Override in Services -> DNS Forwarder to resolve it to nothing. That's the "!" character in that entry. I say simple above, but it's probably not that cut-and-dry... I don't know for sure if google drive has a much larger reach, domain or IP address-wise. Read more about dns forwarder here: https://docs.netgate.com/pfsense/en/latest/dns/dns-forwarder.html Jeff
• P

  Good Case for Floating Rule? Duplicating rules across interfaces
  • pfsensefanatic  

  7
  0
  Votes
  7
  Posts
  82
  Views

  

  Yeah that's just VLANs. They are logically separate from each other and behave as separate interfaces. If you want to pass traffic from VLAN 1 to VLAN 2 you need to pass it. You can do what you want with floating rules. I just think interface group rules can be more straightforward.
• P

  Routing issues after Upgrade (2.4.4) - No (ICMP) Reply to packets
  • pf_Thomas  

  9
  0
  Votes
  9
  Posts
  115
  Views

  P

  Ok. HA is back and online... but the initial issue still exists :-( Nothing arrives at .102
• T

  samba 4 AD and pfsense
  • toni networking  

  7
  0
  Votes
  7
  Posts
  132
  Views

  T

  Thanks johnpoz is working now
• M

  Can't turn off default Deny Private Networks rule
  • mark hisel  

  13
  0
  Votes
  13
  Posts
  151
  Views

  M

  Right On johnpoz!!! Android just got a response from the server! Thank you very much!! You know, it seems like it should be easy, but it's kind of like driving through a new city on a complicated freeway. It's pretty easy to get overwhelmed. Thanks again !!
• L

  Credential Handshake not working on pfsense but working on normal router setup
  • Leckbush  

  3
  0
  Votes
  3
  Posts
  92
  Views

  L

  I resolve the problem. The IP we use in WAN was not allowed on the server side we're trying to login, So we can only reach login screen but can't login. Lmao
• K

  Issues with pfsense firewall log
  • koko_adams  

  9
  0
  Votes
  9
  Posts
  99
  Views

  

  That is not the capture.. Download the file and post up the pcap file. But 10.90.90.90 is your SWITCH IP, or is that the camera IP?
• R

  LAN to LAN rules, is it possible?
  • rfanch3r  

  4
  0
  Votes
  4
  Posts
  146
  Views

  A

  There are some screenshot instructions in that post I linked to. In a nutshell, on your LAN DHCP interface, you set the DNS server to the pihole address on the "other" network. Then, on your LAN interface, you make a port forward to get DNS traffic moving to the pihole. Allow that port forward to auto-create the companion firewall rule. Then point the pihole back to pfsense. And then, finally, set the DNS resolver to "enabled" in pfsense. That means the pfsense box will ultimately run the DNS resolving and caching for your LAN network, after it has been sanitized by the pihole system. Jeff
• T

  OpenDNS over OpenVPN
  • TomHBP  

  7
  0
  Votes
  7
  Posts
  135
  Views

  

  @tomhbp said in OpenDNS over OpenVPN: The internet connection goes down. What is the exact definition here ? Connection totally down or just DNS traffic ? Anyway, it's time to unhide your setup and rules.
• 1

  Filtering URLs
  • 19Giugno  

  5
  0
  Votes
  5
  Posts
  103
  Views

  1

  @bmeeks said in Filtering URLs: @19giugno said in Filtering URLs: @kom said in Filtering URLs: You can either tailor your port forwards to only allow specified IP addresses as Source, or you could do it via web server directives in the site's config file, or via .htaccess. But can;t I create an alias for List 1 and an alias for website 1 and a rule to match them? Only if website 1 has a different IP address from website 2. Firewalls work off of the IP addresses and port numbers in an IP header. They don't understand URL text. What would you put in the alias you create to differentiate between the two websites? The web server software itself (Apache, nginx, etc.) is what would read the incoming HTTP headers text and then route the request to the proper website. That's what @KOM was referring to: setting up filtering on the web server itself because that's the point in the chain where the acutal URL is decoded. Thanks!
• J

  Traffic blocked randomly
  • Jules13  

  14
  0
  Votes
  14
  Posts
  171
  Views

  J

  Yes I disabled hardware checksum offloading, Sorry I was sure I have said that it was a proxmox VM, but it is not the case. Yes I followed this tutorial to install PfSense
• I

  Blocking all IP's except a few one
  • ijazm  

  6
  0
  Votes
  6
  Posts
  86
  Views

  

  Ok for the image but it doesn't help us much to answer. What interface ? Restrict access to the GUI, and if so, http ? https ? both ? - or no access at all (no ICMP, no DNS, no TCP, no UDP, nothing) ? From LAN ? From WAN ?
• P

  How to Limit Steam Traffic PFSense
  • pixfour  

  1
  0
  Votes
  1
  Posts
  60
  Views

  No one has replied

• S

  Pfsense 2.4.4 no internet access! Help please! (Solved)
  • smrehan00  

  13
  0
  Votes
  13
  Posts
  214
  Views

  S

  @akuma1x @KOM Thanks guys for your help.
• T

  Pfsense in Stateless mode
  • Thoufiq  

  13
  0
  Votes
  13
  Posts
  246
  Views

  

  @jimp said in Pfsense in Stateless mode: So fix the other device so it doesn't do that :) Yea, don't I wish. Step 1 would be to define the problem, which I haven't been able to do yet. Or don't go stateless, but setup sloppy state rules: Unfortunately, sloppy state rules don't work either. My current goal is to get this working in stateless mode, and then slowly add firewall rules to protect things. I tried it the other way around (firewall rules first), but couldn't get pfSense to work long enough to get any work done. So the question remains, after I've tried 'allow all' rules that have the state set to either keep, sloppy, or none, and that doesn't work, and I can't throw out the oddball product, what do I try next to allow traffic thru.
• G

  Policy Server?? Work VPN
  • gsmornot  

  1
  0
  Votes
  1
  Posts
  59
  Views

  No one has replied

• N

  firewall for windows network
  • nikhil  

  3
  0
  Votes
  3
  Posts
  80
  Views

  

  Well said bmeeks.. A edge firewall is much different than a host firewall.. But with the right know how it is possible to do some application based filtering with the openappid and snort. https://www.netgate.com/blog/application-detection-on-pfsense-software.html But yeah that is going to be a steep learning curve for sure, for someone that had to ask the question in the first place. If your goal is to prevent applications from doing xyz - that is the place of a host firewall. But normally if your to a point where you want to filter chrome or skype from being used in windows environment you would just prevent those applications from even being installed by users.. If you can give us more info on your overall network - running AD? Are your window machine user managed - ie sort of BOYD setup? Or are they managed by You/IT dept? What exact sort of scenarios are you wanting prevent? Are you wanting to allow for example skype to be used to video call other users in your org/location/family - but not allow free access to anyone? etc.. This is where the suggestion of hiring the correct staff or company to manage your expectation of security is key.. Actually useful valid security always comes at a price.. Be it in the learning curve if your going to do the work yourself - or in the cost of the appropriate hardware and or licensing of specific software to do what you want to do with your current skillset. While you can for sure do some amazing things with pfsense be with something like OpenAppID or IPS in general or Proxy for filtering categories, etc. etc.. If you do not have the skillset or the staff that can leverage opensource or free/lower cost tools. Then you have to pay for the higher end stuff like like commercial based proxy or NGFW with application mangement like a PaloAlto or etc.. All have license cost that can be prohibitive for the smaller shops - and while they do make doing X much simpler since they do all the background work for you (reason for the license costs) you still need the appropriately skilled staff to manage them, etc. Implementation of valid security controls is also going to cost a price with your user community... Be it they could do X before and now it doesn't work, but to do their job (atleast in their minds) they need to do X, etc. etc So there will be learning curve and training required for the user community along with normally higher support hours/cost to manage the expectations and issues that the heightened security will create - atleast in the beginning.
• B

  Pfsense Azure - Internet by WAN and not by Azure
  • Brownie  

  1
  0
  Votes
  1
  Posts
  58
  Views

  No one has replied

• J

  New Install - Missing return TCP traffic to LAN
  • jacque8080  

  4
  0
  Votes
  4
  Posts
  96
  Views

  

  Dude you can not have your wan and lan in the same network - so yeah no shit nothing is going to work!
• S

  Re: [Pfsense 2.4.4 no internet access! Help please!](/topic/141182/pfsense-2-4-4-no-internet-access-help-please)
  • smrehan00  

  1
  0
  Votes
  1
  Posts
  52
  Views

  No one has replied

• 7

  How to setup pfsense as a front-end AV and firewall only
  • 7h3Monk  

  1
  0
  Votes
  1
  Posts
  81
  Views

  No one has replied

• A

  Limit traffic from Openvpn interface
  openvpn pia • • alep11  

  3
  0
  Votes
  3
  Posts
  78
  Views

  A

  @rico Thanks will take a look
• A

  Logging connections, not their content
  • anmnz  

  7
  0
  Votes
  7
  Posts
  162
  Views

  A

  Thanks @gertjan! I don't actually have the specific IP addresses my network is allegedly making connections to, but these instructions are excellent and showed me how to do what I wanted which is to log all outgoing connections from my network. Thanks very much indeed for taking the time!
• H

  Route to WAN with ExpressVPN enabled
  • hanzomain  

  1
  0
  Votes
  1
  Posts
  57
  Views

  No one has replied

• 1

  pfSense Firewall Rules
  • 19Giugno  

  21
  0
  Votes
  21
  Posts
  432
  Views

  1

  Thanks KOM for your help and your patience.