@the-other , Thank you for your answer, and sorry for the late response. I have just finished some experiments with firewall rules. Based on your advice, I moved all rules from the generic OpenVPN tab to the OVPN1 tab, leaving no rules at that tab. Everything works in the same way compared to the previous configuration. I also read that page in the pfSense manual you shared before I raised my post, but I did not fully understand. After reading your example, it became clearer, and after the mentioned experiments with rules, it is fully clear. Hopefully, all my findings are correct: Rules on the OpenVPN tab have priority over the OVPN1 tab (=> In case an incoming packet matches some OpenVPN tab rule, OVPN1 rules are ignored => Rules on the OpenVPN tab are meant to be generic and common for all OpenVPN servers.) If there are no rules on the OpenVPN tab, there is a default message saying "No rules are currently defined for this interface All incoming connections on this interface will be blocked until pass rules are added. Click the button to add a new rule". This confused me. I was convinced that a state without any rule is fully equivalent to a state with a "block all" rule (IPv4+IPv6, any protocol, any IP, any port, etc.). But at least for the OpenVPN tab, this is not true, as I tested that in case there are no rules on the OpenVPN tab, rules from OVPN1 are applied, and everything just works. I just tried to add a "block all" rule on the OpenVPN tab, and remote clients lost connection. So the mentioned message is quite confusing in this case. Because if that message was correct, remote clients would not have had a connection. Thanks, Jan

OK! Turns out that in: firewall > rules > lan ...there were several old rule sets with alias's that mapped to those files. I deleted them as they were no longer in use then applied the config. Problem solved! Thanks.

@Felix-4 I have been in this biz for too long I guess - I don't need to see every little thing.. Some stray SA is meaningless - its noise, or stray udp packets to any single port, etc.. Its just noise.. I have a rule at the end that blocks syn to my address and logs.. I have other rules that log specific senders, that I block from scanning my ports, etc. I log those, etc. But some stray packet hitting my ip is many times just noise that clutters up the log with stuff I don't want to see. If I am troubleshooting something and want/need to see everything its click of button to turn back on default deny logging ;)

That's it guys,... Thankyou,.. I now have a log file that has 'useful stuff' in it and will allow me to track the problem I was really trying to solve....

My settings, filters, etc. load almost instantly (<1sec) at home. It's running on a rather old HP Intel I5 with 4GB memory.

@viragomann I figured it out I just had to restart my nas.

UP, is there any way for this to resume?

@johnpoz And thank you for pointing out that the outbound blocking rules don't do what I thought they did! :-)

@Uglybrian, Thank you, I will give that a try. Stuart

For other people's future reference. I had to switch to Ruckus Router Code and upgrade to their L3 Premium license to use the Policy-Based Routing feature. Once this feature was enabled, the policy-based routing was very simple. Similar to Cisco policy-based routing. However, it seems, as far as I can tell, due to the state-based nature of the Netgate, the policy-based routes I was trying to set up just did not work. Unfortunately, no one on this forum was able to provide a workaround using the pfsense platform.

@tross9 yes. There should be a tooltip if you hover over the X.

Thank you all for helping me. In the end I've managed to make it work. As you said, following rule(s) were necessary to access devices on OPT1 and OPT2 respectively. [image: 1760577607694-4278df83-2799-41fa-a032-8ae0b9205d44-image.png] There are some things that I learned along the way: When spoofing MAC address, don't spoof it on the interface you are accessing the web GUI from. Don't spoof WAN MAC address when connected to internet. Do it with WAN port disconnected. Also, clear DHCP leases on your upstream modem/router. When you already have an enabled interface, but then want to spoof MAC address, delete the interface first and then recreate it with spoofed MAC address. Reenabling doesn't work properly. Sometimes the device you're trying to access doesn't allow access from different subnet. This is the case with my OpenWRT router, but home server works flawlessly.

Yes I reproduced here and asked our devs about it who confirmed the likely cause. Work is in progress.

It worked! I needed to add the NxFilter IP in Captive Portal > Allowed IP Addresses... however, for blocked sites, for example in the Porn category, the NxFilter blocking page is not displayed, it just keeps rotating the browser without accessing the site. I will continue looking for a solution for this. [image: 1760523860187-1dbf1da9-2786-446f-8ac2-30b77b06b1a3-image.png]

Just to prove to myself that I'm not a complete idiot, I have set up a VPS and installed eturnal there. It functions perfectly fine there. (It is not behind a pfsense but I have enabled ufw. To be fair, the setup in my home lab is much more complex than that of the VPS. But bottom line: I can set up eturnal to work. So it would seem to be my inability to configure pfsense.)

I just wanted to follow-up, and not leave you guys hanging. I realized that only Web Traffic needed to be behind the Reverse proxy (for the WebIF), whereas SIP and RTP did not. I am already using split DNS, but I setup one DNS entry for PBX.fqdn that points to my reverse proxy, and SIP.fqdn to point to my actual server. That way, my phones can be directed to the sip server, and my web browser to my proxy. Done. However, since I disabled all IPv6 traffic on my network, I was having issues connecting from outside, as was mentioned. Now, I have the PBX system moved to a $5/month cloud server. Time will tell if it has enough resources to accommodate my usage. It has a setup similar to the aforementioned.

@viragomann Thank you, I appreciate it. The aim is to allow access to my VMs from the WAN side (home network) and effectively use the pfSense device as a router with the NAT functionality enabled for the LAN side VMs to access the internet.