Thank you all for helping me. In the end I've managed to make it work. As you said, following rule(s) were necessary to access devices on OPT1 and OPT2 respectively. [image: 1760577607694-4278df83-2799-41fa-a032-8ae0b9205d44-image.png] There are some things that I learned along the way: When spoofing MAC address, don't spoof it on the interface you are accessing the web GUI from. Don't spoof WAN MAC address when connected to internet. Do it with WAN port disconnected. Also, clear DHCP leases on your upstream modem/router. When you already have an enabled interface, but then want to spoof MAC address, delete the interface first and then recreate it with spoofed MAC address. Reenabling doesn't work properly. Sometimes the device you're trying to access doesn't allow access from different subnet. This is the case with my OpenWRT router, but home server works flawlessly.

Yes I reproduced here and asked our devs about it who confirmed the likely cause. Work is in progress.

It worked! I needed to add the NxFilter IP in Captive Portal > Allowed IP Addresses... however, for blocked sites, for example in the Porn category, the NxFilter blocking page is not displayed, it just keeps rotating the browser without accessing the site. I will continue looking for a solution for this. [image: 1760523860187-1dbf1da9-2786-446f-8ac2-30b77b06b1a3-image.png]

Just to prove to myself that I'm not a complete idiot, I have set up a VPS and installed eturnal there. It functions perfectly fine there. (It is not behind a pfsense but I have enabled ufw. To be fair, the setup in my home lab is much more complex than that of the VPS. But bottom line: I can set up eturnal to work. So it would seem to be my inability to configure pfsense.)

I just wanted to follow-up, and not leave you guys hanging. I realized that only Web Traffic needed to be behind the Reverse proxy (for the WebIF), whereas SIP and RTP did not. I am already using split DNS, but I setup one DNS entry for PBX.fqdn that points to my reverse proxy, and SIP.fqdn to point to my actual server. That way, my phones can be directed to the sip server, and my web browser to my proxy. Done. However, since I disabled all IPv6 traffic on my network, I was having issues connecting from outside, as was mentioned. Now, I have the PBX system moved to a $5/month cloud server. Time will tell if it has enough resources to accommodate my usage. It has a setup similar to the aforementioned.

@viragomann Thank you, I appreciate it. The aim is to allow access to my VMs from the WAN side (home network) and effectively use the pfSense device as a router with the NAT functionality enabled for the LAN side VMs to access the internet.

@turku31 so what was it? Nice to leave what you found as the problem, to possibly help the next guy out.

@martinez Thank you for your help and input! I'm aware of several ways that I could handle this, most of which involve opening a port and running a program on either the local or remote side. When faced with the issue I thought, wouldn't it be nice, if something that already exists and is well tested could be "used" in such a way that it solves the problem, without introducing more risk, which is why I asked the question here. If there is no such option using the firewall directly, then a Wireguard tunnel between pfSense and the remote system might be the best option?! Allow incoming ICMP on the Wireguard interface only, block everything else. The connection would be via dyndns entries and will only be active and the ping possible, if the DNS entry is up-to-date, so a simple ping to the pfSense's wireguard interface IP address would indicate dyndns up-to-date. Or are there better options?

@Bob.Dig once again you guys are not being helpful. Thanks for nothing

@kojol Why would your traffic be asymmetrical.. That is your problem - fix the asymmetrical flow.. So I take it your client is 10.3 and he is sending his syn to this 10.2 box on port 8009 - but that did not flow through pfsense, if it did pfsense would create a state and allow the return traffic (syn,ack). You have a masking problem, you have common L2? When you create segmentation in your network, traffic should flow through pfsense in both directions. If pfsense sees some syn,ack and it never saw the syn to open the state then yeah your traffic would be blocked. If your segments are properly isolated there should be no way possible for 10.3 to talk to your other segment at 10.2 without flowing through pfsense. And same goes for the return traffic. Do have a common L2 network, and a mismatch mask.. Where your client on 10.3 thinks 10.2 is on its network and just sends the traffic there directly. But your device on 10.2 thinks 10.3 is a different network so sends its reply (sa) to pfsense..

@SteveITS yes I totally agree, I would't think that with something like this, I will have issues. Unfortunately, I still have no luck with this, I have rules in place like this: pfctl -s rules | grep 192.168.140 block drop in log on ! cxgb0 inet from 192.168.140.0/24 to any ridentifier 1000005670 block drop in log inet from 192.168.140.1 to any ridentifier 1000005670 pass in quick on cxgb0 inet proto udp from any port = bootpc to 192.168.140.1 port = bootps keep state (if-bound) label "allow access to DHCP server" ridentifier 1000005692 pass out quick on cxgb0 inet proto udp from 192.168.140.1 port = bootps to any port = bootpc keep state (if-bound) label "allow access to DHCP server" ridentifier 1000005693 **pass in quick on cxgb0 inet from 192.168.140.0/24 to any no state label "USER_RULE: Test rule for the chelsio card" label "id:1760030697" ridentifier 1760030697** Then there is the rule on the other interface: pfctl -s rules | grep 192.168.120 pass in quick on ix1 inet proto udp from any port = bootpc to 192.168.120.1 port = bootps keep state (if-bound) label "allow access to DHCP server" ridentifier 1000002542 pass out quick on ix1 inet proto udp from 192.168.120.1 port = bootps to any port = bootpc keep state (if-bound) label "allow access to DHCP server" ridentifier 1000002543 pass in quick on ix1 inet from 192.168.120.0/24 to any no state label "USER_RULE: Test rule for the Chelsio card" label "id:1760030595" ridentifier 1760030595 If I disable the firewall globally, there is traffic like so: Connecting to host 192.168.140.10, port 5201 [ 5] local 192.168.120.116 port 58272 connected to 192.168.140.10 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 114 MBytes 953 Mbits/sec 0 424 KBytes [ 5] 1.00-2.00 sec 112 MBytes 944 Mbits/sec 0 597 KBytes [ 5] 2.00-3.00 sec 111 MBytes 927 Mbits/sec 0 626 KBytes [ 5] 3.00-4.00 sec 112 MBytes 938 Mbits/sec 0 658 KBytes [ 5] 4.00-5.00 sec 111 MBytes 933 Mbits/sec 0 765 KBytes [ 5] 5.00-6.00 sec 111 MBytes 933 Mbits/sec 0 803 KBytes [ 5] 6.00-7.00 sec 111 MBytes 933 Mbits/sec 0 841 KBytes [ 5] 7.00-8.00 sec 112 MBytes 944 Mbits/sec 0 841 KBytes [ 5] 8.00-9.00 sec 111 MBytes 933 Mbits/sec 0 841 KBytes [ 5] 9.00-10.00 sec 111 MBytes 933 Mbits/sec 0 881 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 1.09 GBytes 937 Mbits/sec 0 sender [ 5] 0.00-10.00 sec 1.09 GBytes 934 Mbits/sec receiver iperf Done. If I enable the firewall, there is this: Connecting to host 192.168.140.10, port 5201 [ 5] local 192.168.120.116 port 47334 connected to 192.168.140.10 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 419 KBytes 3.43 Mbits/sec 2 1.41 KBytes [ 5] 1.00-2.00 sec 0.00 Bytes 0.00 bits/sec 1 1.41 KBytes [ 5] 2.00-3.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes [ 5] 3.00-4.00 sec 0.00 Bytes 0.00 bits/sec 1 1.41 KBytes [ 5] 4.00-5.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes [ 5] 5.00-6.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes [ 5] 6.00-7.00 sec 0.00 Bytes 0.00 bits/sec 1 1.41 KBytes [ 5] 7.00-8.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes [ 5] 8.00-9.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes [ 5] 9.00-10.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 419 KBytes 343 Kbits/sec 5 sender [ 5] 0.00-10.00 sec 65.0 KBytes 53.3 Kbits/sec receiver iperf Done. I don't know what is going on and what is stopping the traffic, even though it is allowed. I also updated the system to 2.8.1 this morning, but this did not make any change. Ideas guys?

I can verify that a (public) wildcard cert does not work, the specific hostname must be present in the certificate. I think this is not really well documented, because i struggled with debugging this a few yahren ago myself.

Just been doing further testing with the SMP disabled via boot loader conf as per the 2020 threads does help. I now just get a split second interruptions to teams calls rather than minute long and network dropouts. And also just a couple of spikes in latency. CPU does spike to 55% but it is now running on one core only due to disabling SMP. So it does looks very similar to the bug reported in 2020 anyone else seeing this behavier?

One more item is that I have an interface group called all_interfaces, and have assigned all my interfaces into that group. All my rules are under that interfaces group. Is that why netflow is only showing sync?

@MtMt Also remember, that access to the RDP server is not allowed from outside of the subnet by default in Windows. You have to configure its firewall accordingly.

@jsseb said in PHP Fatal error: .. but they have been in place since day one. For what it's worth : I'm seeing the same thing : [image: 1759300409504-92aa08e1-c0a0-46cf-b8e6-884b5af6d3c4-image.png] which looks like a floating number, but isn't ... I've 16 of them. Using 25.07.1 for weeks now. So, whatever the issue was, this wasn't it.

I use pfblocker for alias management.. While I do have some other just native aliases. I use pfblocker functionality to manage more complex lists. Example - here is my scan deny alias, which contains some asn's and lists from different locations that scan for open ports like shodan, etc.. [image: 1759247068669-scandeny.jpg] And use another list for stuff that need to allow, that might be blocked by list like scan deny - this list contains country based IP lists, and other lists provided by services like plex and monitoring to know if service is up, etc. Which I use to alert me if something goes down. [image: 1759246930777-allow.jpg] I don't really use any of the other features of pfblocker - but I do love its easy management of just native aliases. You can also easy add just 1 off networks/ips etc.. to your alias you create in the bottom custom section [image: 1759247195644-custom.jpg] When bored or whatever I take a look at my firewall log - and notice something scanning but not in my scan deny list, I will look up the details and normally block the whole netblock, etc.

@Gertjan if I run this little bit of php: $file = 'test.txt'; file_put_contents($file, "BLOCK ANY | No internet via this device". PHP_EOL, FILE_APPEND); The piped text is appended just fine to my testfile, so I think the script crash is more related to the code printing the contents of the filter_reload_status file.