Wait, I just discovered that I can access my ext. IP, which sends me to the PFsenseGUI. However, I had one of my friends enter my ext. IP, and he can't access anything, so I think I overreacted.

@katakuri said in Firewall Rules and the Gateway:

But when traffic has to go through the gateway, such as traffic going to the internet, the destination for the traffic will be the actual target, not the gateway itself, right? Traffic destined for outside the subnet is sent to the gateway but for the firewall the actual target is the remote address?

Yes.

Firewall rules in pfSense work at layer 3. Each IP packet includes the source and the destination address in its header. These are evaluated by pfSense for filtering the traffic.

The gateway, however, is a case of layer 2. A packet can be sent to the gateway (per hardware address) even the destination address is something different.

@bmeeks got it, thank you

@katakuri said in Firewall Rules Order:

But a floating rule could veto an outbound packet on the WAN interface that was passed from a LAN rule?

Yes. But, as a beginner, you should not consider any floating rules anyways. Even if you are not a beginner, you would not use them unless you absolutely have to. 99.9% off all rules have the direction "in" and therefor can be created anywhere else.

@johnpoz You nailed it. ntopng is installed!

@pfsense57352 I am new to pfsense and It might seem a bit overkill to install Home Assistant just to monitor pfsense, but the built in integration is really nice and I don't know your use case.

It even has an addon that runs locally called Uptime Kuma (basically an uptimerobot alternative).

The ha pfsense addon has a lot of sensors... just fyi here is a home assistant page where I get info from pfsense:

pfsenseha.jpg

@Gertjan
Thanks, friend.

I thought that Pfsense, like Fortigate and Palo Alto, was capable of creating rules based on users, so how can I do this mac and dhcp connection?

@cosmos-tong thanks but no thanks.

idiom. used to say that you are grateful to someone for offering something but that you do not want to accept the offer; sometimes used humorously when you are not really grateful:

@patient0 Ugh, this is embarrassing /:()

@johnpoz Thank you for your answer.

First of all I saw that documentation page. It says "A safe assumption is approximately 1K of memory per entry to be conservative." so I assumed that I could use that number.

I love pfsense (I have four Netgate devices), but there are some issues with it, and this is one of them. It would have been nice to have this information in the GUI, or perhaps auto-adjusted limits.

Adding 200 000 more to the limit fixed my problem.

@louis2
What rule ?
What interface ?
What log settings ?

edit :

74e1219f-ef00-4b06-b483-bd3abd2613a8-image.png

and things will calm down.

@louis2 https://docs.netgate.com/pfsense/en/latest/firewall/configure.html#ip-options

@Gertjan
Done thanks. 👍

I just checked, you are correct. First action on PRI5 is block and second action on Europe is match =)

@patient0 ok thanks

@helis821 forgot to say - also doesn't work with windows firewall disabled

@CreationGuy said in Allow only outbound connections to one ext. IP and port:

edit: although, I do like to see the external attempts on getting into the router...

Wrong ... 😊
That would be like looking in the barrel of a gun to see if a cartridge (bullet) is loaded.
Not the best way of checking things.

Every blocked packet will match the default block rule .... that's ok, and can be done rather quickly, but if every blocked packet also needs to be written out in a file - the firewall log, then every blocked packet will use loads of CPU cycles.
If 'they' know that you are doing that, they will ramp up the traffic quickly - this is what DOS is, your log file will fill up very quickly, your pfSense will get hot and goto "100 % CPU usage" , and if a log file rotating goes wrong your disk start to fill up => bommmmm assured.
Is your disk an emmc (see other forum threads) ? Your disk will be dead in the near future => another boomm.

Apply the good old rule : keep a low profile and nobody will knock on your WAN door.
After all, your WAN interface is probably constantly probed for possible allowed in-going connections. You can't stop ** that. It's part of the Internet. See it as the back ground noise.
It's like living in a huge building with many front doors : kids are constantly pulling your door bell. Up to you to stay alert behind the door to see who is ringing ....

Even worse : if you get DOSsed, there is only one thing you can do : call your ISP and make "them" (the dossers) stop. They'll tell you they can't ... but they can pull the plug for you - or you pull the plug yourself = remove the WAN cable for a moment.
Or wait it out you doing nothing, pfSense can handle it : black-holing traffic is easy, you are after all limited to the bandwidth you have.

Actually, you can : put a firewall in front of your firewall.

So, ok to have a look at what happens at the WAN gate ones in a while, just don't forget to stop logging when your done.

edit : If your pfSense is behind a (CG)NAT or your ISP router : you won't see anything on WAN, as the upstream firewall / router / NAT device already took the bullet for you.