@detox said in cannot block cross traffic on sg-2100:

I need to restrict traffic from VLAN1 &2 to WAN only. Any suggestions?

See:
https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/opt-lan.html#isolated

@John_McNoob said in Firewall rules:

With firewall rules

I'd expect, that it at least resolves the host name, but it presumably can't.

Maybe it uses another local DNS server, which it is not permitted to access then.
Try dig to verify.

dig google.com

@johnpoz
Thank you for validating my thoughts and setup
By the way, the best thing I did was moving intervlan routing to pfsense and keep fast 10 Gb servers on same VLAN on the switch. So simpler to maintain and stopped using the asymmetric insecure routing for internet

@Gertjan

I don't have the energy to verify why it's rejecting the gateway. Perhaps something has updated in the NAS (OMV) in the meantime. The important thing is that it works, thx :)

@AndyRH :

Many thanx to you. I've implemented your rules and they seem to work exactly as intended.
Most surprisingly for me, they do this without dedicated firewall rules.
Thumbs up!

Best regards

JD.

Well like I said I've tried to do that so.... I'm not sure. 😉

Does it work? I'd expect to see a load of errors when it creates the test config of there's a problem.

@Gertjan said in Alias error:

This looks like a IP "range" :

That's how multiple IPs are listed in the xml file. (I had to look)

Putting in my "programmer hat" I would guess there is some other alias or entry in the config file that is invalid and causing problems. Non-standard characters, maybe. Maybe, drag/drop the file into a browser window or XML parser, since at least Firefox will read/display the XML.

@SteveITS Thank you for the info ! I think I have a better grasp now on what my issue was. Since I disabled IGMP Snooping in the Unifi controller for my IOT net and associated VLANs I have not had any more notices in the firewall log (I still have the pass rules with log on, but nothing is showing in the firewall log, so I assume there is no more IGMP traffic. Cheers

@JonathanLee said in To Default Reject Or Block That is the Question.:

I wanted to share this with you incase you ever asked the question what the difference its between block or reject...

A block just drops the packet, without any other response. A reject sends an ICMP message back advising why. You want to use block on the WAN, so that the attacker has no confirmation there's something there. Use reject on the LAN, so that an issue can be identified.

Screenshot 2025-07-07 at 18.35.31.png

You know what it was I had it set to reject and not block HAHA I can't believe I didn't see that before, that is a Homer Simpson moment.

Screenshot 2025-07-07 at 18.38.12.png

This issue has since resolved itself though the root cause is unknown and there have been numerous changes made to the firewall between when it was last observed to not work vs. now when it is working.

@rasputinthegreatest normally hosting stuff on big cdn networks is not cheap - and would assume they do some vetting of what is being hosted/served. Not saying stuff can not be compromised - but seems unlikely some malware people would choose to host their crap there to be honest. While that cdn is not a global player to the likes of aws/azure or clouldflare, etc. They are not a ma and pop vps hoster ;)

Glad you got it figured out - and this thread might be very helpful for the next guy.

@Gertjan

I figured it out. It was my old IPSEC tunnel. It was capturing the traffic, so the rules never really impacted the traffic. Once I removed the IPSEC tunnel, the rules started working, as mentioned.

@viragomann Yes, actually, I made Allow any to any rules for all interface including bridge interfaces for testing. I wanted to see traffics going right direction and compare what I expected.
However, after I provides IP address to bridge, I'm getting less information from firewall.

From the firewall state, (PC-B to PC-A)
[Any 10.10.40.4 -> 10.10.30.3 SYN_SENT:ESTABLISH]
BRG2 10.10.40.4 -> 10.10.30.3 SYN_SENT:ESTABLISH
BRG1 10.10.40.4 -> 10.10.30.3 SYN_SENT:ESTABLISH

However, I found two solutions.

Creating rules in floating tab with enabling quick Make BRG1, BRG2 as a one interface group and creating rule.

I have no idea why those can be the solutions but seems like there's something related rule priority.

Thank you for taking care of my issue.

@johnpoz

Many thanks for the help, advise and comments noted.

Thanks again.

CC

@chris-doldolia Hello! You can safely make configuration changes on a running pfSense firewall, it's designed for that. Most settings apply immediately without needing a reboot, though some services (like IPsec, OpenVPN, or interface changes) may briefly interrupt traffic when restarted. Just make sure you have console or alternate access in case something goes wrong.