Firewalling

• G

  FW rule by source network device
  • Gullytrotter

  2
  0
  Votes
  2
  Posts
  64
  Views

  I

  it sounds like youre trying to do policy based routing, and this is definitely something you can accomplish with PFSense. Youre going to want to define gateways, and in the advanced option of a firewall rule (at the bottom of the rule edit page) you can define a gateway to send traffic to that matches the rule.
• P

  Backup fails with SSL or certificate error during certificate validation behind pfsense firewall
  • philipo

  2
  0
  Votes
  2
  Posts
  46
  Views

  I

  where did you perform the packet capture? Start by replicating the issue and performing a packet capture as far from the client as possible, and work your way in. For example: Client -> PFSense -> InSync Cloud Perform a packet capture and verify you see client AND server hellos between PFS and InSync cloud (On WAN interface). Next, perform a packet captrure between PFSense and the client (On LAN interface). Verify if client/server hellos are also present. Client and Server Hellos If present on WAN and not LAN, there is a rule blocking traffic somewhere. Verify Firewall rules, IDS/IPS, geo-protection, and NAT. If not present on WAN nor LAN, verify you're not attempting to access the service from a blocked IP. This is usually common when accessing services via a VPN provider. Things to check for in this case: -Confirm connectivity to the InSync Cloud. Ping, https, etc. anything to confirm you can communicate with the service -Verify client configuration for the backup is correct. I'm not familiar with this particular service, so perhaps the client config has a typo in the user/password, is configured to target an incorrect server, or the application may be throwing event logs explaining the issue. -Lastly, and probably not the case, Take the proposed cipher list from the client hello packet and confirm with InSync that they're configured to accept any of them.
• G

  Need to understand why traffic is allowed
  • Gryman

  2
  0
  Votes
  2
  Posts
  55
  Views

  I

  After I created an interface on the 498 VLAN, called VL498, I was able to ping and ssh to 10.4.98.4/24 without adding any rules to the VL498 interface. My understanding is that interfaces have implicit deny by default. This is where I need to understand why this traffic is allowed. While, it's working as I want currently, it shouldn't be working as I did not allow the traffic through. from where? you likely have a rule on the incoming interface to allow this. Please post your firewall rules for the relevant interfaces.
• M

  how can i stop logs for ipv4 IGMP but still log default deny
  • mrwaltman

  17
  0
  Votes
  17
  Posts
  174
  Views

  M

  Wow. Was on site tonight. Pull WAN2 (ix0) cable, all IGMP packets stop, no logs obviously. Bogon/private logging turned off, Default deny logging was on. Only when WAN2 cable plugged in do the IGMP blocks fill the logs at more than 250 per second. I have only one rule now, a floating rule States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions 0 /377 KiB IPv4 IGMP * * * * * none block IGMP float This rule does not fire at all. If I disconnect WAN2 interface (pppoe over wifi dsl) then the default deny logs stop, and the floating rule above starts! It makes sense now, that the default deny rule is seeing ix0 as the INF name, not WAN2 as I've named it. It also makes sense that if I disconnect the PPPOE connection, the port is still active and the packets are still coming in, regardless of whether PPPOE has authenticated. It also would be expected I guess that the floating rule sees ix0 as the INF. On the occasion that I see a regular tcp block in the log on WAN2, it is referred to correctly (meaning not ix0). What's odd, and maybe someone can explain, is why would the interface being authenticated to PPPOE cause the floating rule to not work at all, and indeed it would seem no IGMP rule has any effect either floating or on the WAN2 interface, while PPPOE is in connected state. Does anyone know why or know how to alleviate this issue?
• H

  Noob question.. VPN client behind pfSense can't get to internet
  • Hossius

  4
  0
  Votes
  4
  Posts
  31
  Views

  H

  Update - it works from a different PC, so now I know its a problem with this linux machine. The route command comes back with nothing... but netstat -rn output looks good. I'm going to re-do this machine I think.
• A

  Freeradius and Lightsquid
  • akshayhomkar

  1
  0
  Votes
  1
  Posts
  10
  Views

  No one has replied

• D

  public carp and private wan ip adresses, how to build firewall rules for internet access
  • Duckdave

  2
  0
  Votes
  2
  Posts
  17
  Views

  D

  i figured out that this is working for my purposes: But do i always need a block rule for all other interfaces? Is there nothing similar to a implicit deny rule? (like i see at a fortigate)
• P

  Pfsense blocking Drucva InSync
  • philipo

  29
  0
  Votes
  29
  Posts
  159
  Views

  

  If you can get a list of IPs their server are using you can bypass those as destinations for the proxy. But since they have presence across AWS it will be a very large list or maybe not possible at all. Steve
• D

  Amazon FireTV and Pfsense' ARP Table
  • davoodoo

  2
  0
  Votes
  2
  Posts
  31
  Views

  

  What that timer is about is the time since the last successful ARP request. If everything else on the LAN is OK, I'd say the problem is with that TV.
• 

  Unexpected Alias behavior with FQDN
  • IsaacFL

  2
  0
  Votes
  2
  Posts
  27
  Views

  

  As part of my testing, I also created another Alias, HOST_ISAACFL_v6, and used it for the ipv6 firewall rule. Even with a different alias it still did not get the AAAA record in Diagnostics \ Tables. I verified with a port scanner that the traffic did not get through. Since I have only the one host, I just created a duplicated AAAA record in my local Host Overrides, so that is as far as I went with it.
• I

  Pfsense and myqnapcloud cloundlink
  • ichibansenshi

  9
  0
  Votes
  9
  Posts
  256
  Views

  

  so what does the client log show? Is it trying to connect to your pfsense public IP? What does the openvpn log on pfsense show?
• M

  LAN net (macro) as Source vs specifying any (*) as Source in a rule
  • moelassus

  5
  0
  Votes
  5
  Posts
  74
  Views

  

  It is even more critical when you have rules with a gateway set. If you allow from a source of * and have a gateway set, it's possible to accidentally cause pf to forward broadcast traffic which could cause a network traffic loop.
• K

  Public networks behind firewall
  • Krisbe

  10
  0
  Votes
  10
  Posts
  71
  Views

  K

  I think I found the answers here: https://docs.netgate.com/pfsense/en/latest/book/firewall/methods-of-using-additional-public-ip-addresses.html https://docs.netgate.com/pfsense/en/latest/book/routing/routing-public-ip-addresses.html One more question. I want to use a few of these public IP's on devices on another pfSense interface. How can I do that?
• D

  Unable to route only torrent traffic over VPN
  • DutchSamurai

  3
  0
  Votes
  3
  Posts
  34
  Views

  D

  Okay figured out part of the problem. Had to open some additional ports for the tracker URL's to work. Now I can route torrent traffic over the VPN if I set the source port, but I still can't manage to have traffic go out by filtering on the destination port.
• B

  Measure DPI perfomance on 10Gbps NICs
  • birdperson

  3
  0
  Votes
  3
  Posts
  77
  Views

  B

  @stephenw10 Hey Stephen thanks for your reply. We are indeed looking into Snort right now, although we have changed the way we are gonna test it. We will try use iperf with the -F (file input) flag set with a text document containing the phrase to be blocked. But anyway I'll head to IPS/IDS section with further questions. Benjamin
• R

  Block ALL from pfSense box but pass all routing...
  • Rasstace

  6
  0
  Votes
  6
  Posts
  101
  Views

  

  Hmm, about the only way I can see that working is if you add a virtual IP on the WAN and use that as the translation address for traffic from the LAN. Then you can add a pass rule for that above the block rule for everything from 'this firewall'. Steve
• D

  Tags not working, gateway down but pfsense still sending traffic over it... firewall basically not working
  • DutchSamurai

  4
  0
  Votes
  4
  Posts
  30
  Views

  D

  @johnpoz Thanks, that was the problem. Did a few quick tests with that setting enabled and now everything appears to be working as intended.
• D

  Unable to access single host on LAN from OpenVPN
  • DutchSamurai

  2
  0
  Votes
  2
  Posts
  29
  Views

  

  @dutchsamurai said in Unable to access single host on LAN from OpenVPN: I can access all hosts apart from a single one. So how does that have anything to do with pfsense then? Prob as something as simple as that host running a firewall.
• S

  Fields for IPv6 logging entries
  • securvark

  4
  0
  Votes
  4
  Posts
  73
  Views

  S

  Oke how about this? I haven't looked at ICMP yet but IPv4 and 6 should be almost correct: Updated: IPv4 TCP regular expression: ^filterlog:\s+.*,(in|out),4,.*,tcp,.*$ Column Headers: RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,ID,Offset,Flags,ProtocolID,Protocol,Length,SourceIP,DestIP,SourcePort,DestPort,DataLength,TCPFlags,Sequence,ACK,Window,URG,Options IPv4 UDP regular expression: ^filterlog:\s+.*,(in|out),4,.*,udp,.*$ RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,ID,Offset,Flags,ProtocolID,Protocol,Length,SourceIP,DestIP,SourcePort,DestPort,DataLength IPv6 TCP regular expression: ^filterlog:\s+.*,(in|out),6,.*,TCP,.*$ RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,Class,FlowLabel,HopLimit,Protocol,ProtocolID,Length,SourceIP,DestIP,SourcePort,DestPort,DataLength,TCPFlags,Sequence,ACK,Window,URG,Options IPv6 UDP regular expression: ^filterlog:\s+.*,(in|out),6,.*,UDP,.*$ RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,Class,FlowLabel,HopLimit,Protocol,ProtocolID,Length,SourceIP,DestIP,SourcePort,DestPort,DataLength IPv4 ICMP Echo regular expression: ^filterlog:\s+.*,(in|out),4,.*,icmp,.*,(request|reply),.*$ RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,ID,Offset,Flags,ProtocolID,Protocol,Length,SourceIP,DestIP,ICMP_Type,ICMP_ID,ICMP_Sequence IPv6 ICMP regular expression: ^filterlog:\s+.*,(in|out),6,.*,ICMPv6,.*$ RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,Protocol,ProtocolID,Length,SourceIP,DestIP,UnknownFld Please correct where I am wrong and fill in the question marks if you can. There's an empty field on ICMPv6, I called it "UnknownFld", because, uh, I don't know what it is . Thanks! PS. If these fields are correct, you may want to update your wiki documentation with it.
• R

  PHP Parse error: syntax error, unexpected ';'
  • rexchow

  3
  0
  Votes
  3
  Posts
  72
  Views

  K

  @mikeisfly Hey it says on Github that this bug has been fixed
• L

  Unable to select gateway in firewall rules.
  • linuxgae

  3
  0
  Votes
  3
  Posts
  60
  Views

  L

  Found it under advanced. Thought I had looked through advanced before. Guess I'm just getting old and tired.
• R

  Firewall Rule to limit IP cameras from getting internet access
  • richtj99

  7
  0
  Votes
  7
  Posts
  137
  Views

  R

  Hi, I have it setup with static IP's for each camera, then each camera has been added into an Alias (Cameras). The only way I could get it working was with the !Lan part of my rule. I dont really understand why that works as it was trial and error to get it working. @akuma1x said in Firewall Rule to limit IP cameras from getting internet access: @richtj99 said in Firewall Rule to limit IP cameras from getting internet access: @akuma1x How do i give them no internet while being on the same subnet/single vlan? This is how I do it: All of these cameras need to have static IP Addresses setup in the DHCP server section for the subnet/network your cameras are on. Then make an Alias for all the cameras. This is found under the Firewall tab up at the top of the screen. Once the alias is made, you can create a single firewall rule, on the subnet/network your cameras are on, and deny it access to the internet. Make this rule the top-most rule in the list, right under the anti-lockout rule. Denying access to the internet is pretty simple, if in fact you want to deny access to ANY external internet service. On that last firewall rule, set your action to reject or block, set the protocol to ANY, your source to single host or alias using the ALIAS you created above, and the destination to ANY. This sets the rule up so no ALIAS traffic leaves the subnet/network, including traffic bound for the internet. Jeff
• F

  Need help setting two WAN IPs to HAProxy
  • Fred83

  2
  0
  Votes
  2
  Posts
  52
  Views

  F

  Turns out my logic was correct, I was just mistaken on the settings for the firewall rule. All traffic from outside to the VIP from all protocols and it is now working.
• I

  google stop working automatically some time(pfsense-2.4.4) .
  • itsupport_debut

  6
  0
  Votes
  6
  Posts
  83
  Views

  

  Ok. Here it is : several thousands of pfSense installations, and yours is blocking "Google". We all have the same code base. Only our settings are different. I propose that you detail your settings / packages, etc. What will work right away : reset to default settings. Activate WAN. Do nothing else. Do not add any packages. Your problem will be solved.
• J

  Easy Question: Block all outside DNS except Pihole
  • jay226

  7
  0
  Votes
  7
  Posts
  92
  Views

  

  His method is cleaner easier to read, and better in the long run. Inverted rules can be useful, and I do use them, they are not for everyone ;)
• 

  Disable or prohibit routing between local subnets
  • morgenstern

  9
  0
  Votes
  9
  Posts
  100
  Views

  

  ping or (icmp) is not tcp/udp ;)
• S

  Single Host Entry Disabled - Why?
  • stevemac00

  3
  0
  Votes
  3
  Posts
  29
  Views

  S

  Agree - seems like a GUI bug. To answer your question, yes in this case I want it limited to a single alias (it's for sync mirroring). I have tried changing back to every menu item and it's always disabled. In fact, all my NAT entries on this device are disabled when I try to change to single host/alias yet on a "matching" device in another location it's fine. If I create a new NAT entry it's also disabled. If nobody knows, I guess I can save a backup, change backup XML and then restore the backup.
• L

  IPVanish VPN client works, internal network doesn't.
  • lpiatt

  5
  0
  Votes
  5
  Posts
  144
  Views

  L

  I have three interfaces, LAN, WAN and the VPN. All three have these options unchecked. I would like the 192.168.2.* to be able to talk to the 192.168.1.* I decided to change my VPN to NordVPN instead of IPVanish but the results are the same. I followed this how-to to set it up: https://nordvpn.com/tutorials/pfsense/pfsense-openvpn/ My network topology is fairly simple: I have these firewall outbound rules, no other firewall rules have been implemented:
• G

  v2.4.4_p2 Log puts tracker number instead of description
  • gwaitsi

  9
  0
  Votes
  9
  Posts
  61
  Views

  

  And if you don't want to log it who says its still there... Put in a feature request if you want it to put the desc on old log entries that are no longer set to log ;) No future entries will be put in, etc. What if you edited the rule and its ID changed, how would it find the OLD Desc, etc. What if you change the desc, etc.
• T

  Need help with forwarding web trafic to the proxy sever on the network
  • tanja84dk

  8
  0
  Votes
  8
  Posts
  110
  Views

  T

  it still wont work and have even tried to reboot the pfSense earlier today
• K

  VLAN Setup Advice
  • kiekar

  3
  0
  Votes
  3
  Posts
  120
  Views

  K

  Hi and thanks for your reply, I recently raised another thread on my setup not working. Thread 140443
• K

  Correct GW for bridged pfSense box
  • krak3n

  4
  0
  Votes
  4
  Posts
  90
  Views

  

  Why can you not just leverage the Mik as AP? Then use pfsense as your edge firewall/router and for routing all your internal segments. This will give you insight and control over your internal network and to and from the internet. Just leverage the Mik as wireless. What specific model do you have?
• Q

  Speech path being blocked after call established
  • Qball

  2
  0
  Votes
  2
  Posts
  80
  Views

  

  @qball Since you're behind NAT, you need to use an STUN server to tell the other end what your real address is. There may also be some issues with maintaining the path through NAT for UDP.
• G

  Firewalling MAC addresses
  • garyd9

  37
  0
  Votes
  37
  Posts
  11977
  Views

  L

  I notice the last response is 2mo old, but... I am using SonicWalls with MAC addresses being used in the rules all the time - for the very reasons that the OP listed, with IPv6 being the more annoying bit for me. Filtering by IP is about as effective as milking a boar. Since I've used pfSense for ages and the SonicWall bits are kinda new to me I had asked an engineer how the Sonicwall does this effectively with such an anemic CPU, and was told that the rules essentially are updated when the MAC goes live on the network with whatever IP(s) the machine has. The documentation I've read for the Sonicwalls I've been managing indicate that they operate very similarly to how pfSense does, aside from not being based on pf. Since we have to record this information anyways and validate against DHCP/ARP, I'm not sure how-come pfSense can't do this? We're running CPUs that are worlds better than the junk in even the expensive Sonicwalls, so even if there was some overhead, I think it should be possible and even feasible. However I will digress in that I am not a programmer, and there may be some code sitting in the way that makes this incredibly expensive to do. It sure as heck would make my life much easier. I could set things to happen based on MAC and not give a crap what IP they have or if they manually set it to something else, or if they're using IPv6 which as stated before by OP and here is ineffective.
• P

  Forward all traffic
  • pavi

  2
  0
  Votes
  2
  Posts
  98
  Views

  

  I'd setup Site to Site VPNs with your home 100/100 as hub, your can route/NAT any traffic inside the tunnels back and forth like you want/need. Which coin are you going to run? -Rico
• S

  error loading the rules: no IP adresss found
  • silfin

  10
  0
  Votes
  10
  Posts
  129
  Views

  

  Have a look at Diagnostics Arp Table and NDP table
• M

  Got a lot of Default deny rule IPv4 (1000000103) from WAN, am I got hack?
  • michaelm0829

  24
  0
  Votes
  24
  Posts
  446
  Views

  

  @derelict said in Got a lot of Default deny rule IPv4 (1000000103) from WAN, am I got hack?: Still have a working (sort of) Altair 8800 in the family. The IMSAI was a better quality clone of the Altair.
• U

  Advice needed - way to give rule descriptions to syslog server
  • user2

  5
  0
  Votes
  5
  Posts
  177
  Views

  

  What about the rule's "tracking id'? You would still have to have to use something like Logstash to match the tracking ids to descriptions though. Your post got me curious so I tried it out. I created a CSV file from this one-liner and used the Logstash Translate filter plugin to map tracking id's to descriptions. As long as the fw rules are fairly stable, it's no too much of a pain. pfctl -vv -sr | grep USER_RULE | sed 's/[^(]*(\([^)]*\).*"USER_RULE: *\([^"]*\).*/"\1",\2/' | sort -t ' ' -k 1,1 -u Here's a screenshot from Elasticsearch alerting on my country blocking rule. Logstash added the description field. note: credit for the sed command goes to this guy on SO.
• S

  Camera VLAN - Firewall rules
  • spatak

  2
  0
  Votes
  2
  Posts
  109
  Views

  S

  OK, nevermind. I sorted through this. Took getting another computer up and onto the camera network to make sure things were working the way I wanted and took a bit to wrap my head around the rules for the camera interface as this was a bit more involved than my IOT implementation.
• T

  Erratic rule behavior for an alias
  • trumee

  3
  0
  Votes
  3
  Posts
  119
  Views

  T

  I decided to use my own dns server as domain override. To test the DNS server i tried it directly, $ nslookup > server 192.168.1.166 Default server: 192.168.1.166 Address: 192.168.1.166#53 > delta37tatasky.akamaized.net Server: 192.168.1.166 Address: 192.168.1.166#53 Non-authoritative answer: delta37tatasky.akamaized.net canonical name = a1279.w10.akamai.net. Name: a1279.w10.akamai.net Address: 122.15.34.35 and it works as seen above. Next i changed the Domain override as follows, But nslookup fails to work $ nslookup > delta37tatasky.akamaized.net ;; Got SERVFAIL reply from 172.16.1.1, trying next server ;; connection timed out; no servers could be reached Any idea what is wrong?