Dude you should really step back and understand how rules are evaluated before you attempt to edit them..
So on your DMZ... How is your wan address ever going to be a source???
So you want your dmz net to only go to that 185.x.x.x address? Or is that your wan IP? And you think if you allow that it can talk to the internet??
The internet is not wan net, its not your wan IP... The internet is ANY!!! Your last rule there allows to internet.. All of those rules above that allow to that 185.x.x.x are pointless since your last rules allows everything. So uness you were going to log those rules.. What are they suppose to accomplish.
Why don't you state WHAT your wanting to do and we can walk through how to do that.
Also as already mentioned you can not just grab public IPs and use them on your network without issues. If you did own those IPs - why would you be natting to them?? So just at a complete loss to what your wanting to do exactly here. From your wan rules that looks like your port forwarding to that IP.. But then your dmz rules are allowing access to it? On udp for protocols that do not support UDP..
So again - why don't you draw up your network, what networks your using on your different vlans (rfc1918 I would assume) you don't have any public space routed to you - do you? And then what you would like to accomplish with firewall between your segments and any port forwards and we can walk through how to do that.
UDP to 53 is default port for DNS.. That could be a NS for any sort of domain that your doing queries on.. Out of the box pfsense resolves and could be trying to talk to authoritative ns for some domain.
I would sniff to see what the dns query is for..
It might - put it in as a feature request on redmine. But I would think its going to have really really really low priority. Since I would have to assume they just share code for all the gui places that you would pick an interface, etc.
But sure you would think it possible to make it so the normally quite impossible sort of scenario's like wan network as source coming in lan are not listed. Then again you would also hope that the users of your firewall would understand basic networking ;) And how the rules on said firewall they are managing are evaluated..
The default to /32 on drop down when you add an interface IP also messes with many users because they leave it as /32 vs setting the actual mask they want to use.. So maybe that should default to I don't know /24? You know to keep the users from shooting themselves in the foot ;)
Feel free to put in a bouncy if you want for someone to modify the code for the drop downs to only list "realistic" interfaces as source vs all of them.. Or you could do yourself and submit it.. Its possible if you put it in as feature request that the developers might get to it - but I wouldn't hold my breath lets say.. Just my take..
So you have new rules you would like to discuss?
And i think i have answered this myself. Refresh States required. Therefor i would question if there needs to be a "Refresh States" button in the same screen where rules are APPLIED, or a pop up asking the Admin if the wish to enforce the rule immediately
2.2.3 is over 3 years old and no longer supported version. You should be on 2.3.5 p2 if you don't want to move to the 2.4 line.
Come back when your on a currently supported version, if you are still having issues.
Oops forgot to label that and made a mistake with the customer router, carrier is doing routing. .113 is the fiber modem. 114 is the first usable and the customers router. The pfsense is using 118.
My guess is you have to reset the states. Diagnostic->states->Reset states. Since PFSense is a state-full firewall means, everything is blocked by default from WAN->LAN, but if from inside the LAN anyone access any IP than a state is created/opened.
I don't know the reason, why you choose such method to block the facebook and not the straight forward and easy method.
Just create alias FB_Allow with all the IPs or the range which is allowed to access facebook. and the Facebook_IP allias with all the facebook IP.( PS execute this command from PFSense 'whois -h whois.radb.net -- '-i origin AS32934' | grep ^route | grep -v route6 | cut -d" " -f7' to get all the facebook IP).
Create a rule in the with in LAN Tab -> with source FB_Allow, port * to Destination * or Facebook_IP with port *.
Make another rule below it in LAN Tab of the firewall rule blocking every other IP with facebook blocked by choosing source * port * and destination IP with allias Facebook_IP with port *.
Change accordingly and most important I am also not an expert but learning.
So you turned off nat and your wan is 192.168.1 and your lan is 192.168.1?
Yeah that is not going to work.. Are you trying to use pfsense as transparent bridge?
web server (192.168.1.100). In WAN interface of pfSense
My internal interface of pfSense is 192.168.1.1/24.
As chpalmer stated arleady devices on the same network do go across a router to talk to each other..
@johnpoz said in TCP:RA, TCP:A, TCP:PA blocked ?:
Even if you have only 1 default route. When I see traffic from 192.168.x and I have an an interface in 192.168.x - then that is where you respond with.
Thx, it makes sense. :)
Are there any way to solve this ? Its not an big issue at all, im just curious.
1st post jump into a 2 year old thread with junk... Welcome <rolleyes>
You didn't even bother to read the 2 year old thread your reply too? What part do you not get about the PIPE is full did you not understand. Blocking IRAN or Russia at the end of the pipe at your firewall does ZERO!!!
Post like that makes me miss the smite button ;)
How about a secured wifi for the parents, and a physical cable for the kids wifi? Wife can pull the cable for the kids, and stay on her own wifi. (Would require either two APs, or a 3rd network port + a single AP with two SSIDs.
@derelict said in Converting from a Single Interface to a LAGG:
@guardian said in Converting from a Single Interface to a LAGG:
pfSense Cookbook - Recipes for Home/Small Office Networks
If I wrote that I would sell it, not give it away. Just sayin'.
Who said anything about giving it away?
I was suggesting that this is what would provide REAL value for Gold Membership for the hordes of neophytes that attempt to set up pfSense. I did a gold membership for awhile as a "thank you", but I didn't feel that I got much value out of it other than supporting the project.
It could also be a stand alone product - As I said the education out there sucks for someone who wants to learn enough to do good small networks, but not become a CCNA. I was suggesting Netgate might do something like to raise the profile of the project, and make a few $$. The big obstacle with setting up pfSense is the configuration. I would suspect a publication like that could bolster the sales of their appliances if promoted correctly. Think the person who knows a bit, is reasonably handy with computers, knows that even the high end consumer routers out there are untrustworthy/not updated etc, and need a hand to get to the next level.
I don't know if they sell their lower end appliances to "educated consumers" or just enterprise, but that's the market I see it serving. When I was getting started I would have paid $100 for that in a heartbeat - and depending on the contents, I might still be in the market.
Hello,
your clients are both in the same subnet. Its impossible to restrict traffic for them because they are directly connected trough the switch.
If you want to firewall the traffic you need to place them in different subnets.
Kind regards
"firewalls" on desktops tend not to be first class citizens. pfSense does one job and does it well. Desktops do a million jobs and firewalls are an after-thought. And that's ignoring the whole central point of edge management vs making sure every device in the network is configured correctly.
@johnpoz I found the issue. This is our ISP DDoS protection. All ports are opened and redirected to the DDoS traffic analyzer . All packets will be analysed and then will be forwarded or blocked if are clean traffic or not. Please closed the topic or delete it.
Best wishes!
That is something you will have to fix between outlook and the mail server.
Looks like pfSense is facilitating the connection but the client and server disagree about how to talk to each other.
pop3.gmail.com is not a valid hostname for gmail's pop service. Try pop.gmail.com.
https://support.google.com/mail/answer/7104828
What did test port show?
Look in the firewall logs to see if it is being blocked locally.
Packet capture for the traffic on WAN, then test the port. If you see the SYN leaving but no reply, it is being blocked upstream somewhere. If you don't see the SYN leaving it is something local.
@shawniverson said in TCP/IP Printing mangled across subnets:
where multiple subnets are connected to the same interface.
That is just BORKED design out of the gate as well.. There is one valid reason when you would be running multiple layer 3 on the same layer 2... That is during the migration from 1 address scheme to another address scheme..
Something like running some link-local address space on that layer 3, at the same time as a global address.. But I wouldn't really count this as running 2 L3 on the same wire, since 1 of the address scheme's is only designed to be used on the same layer 2, etc.
@jimp A volumetric DDOS cannot be stopped by a firewall, but a modern proper firewall should be able to do line rate packet processing into the multi-gigabit range. His concern is that his firewall cannot or might not be capable of line rate processing, but possibly should be.
I know FreeBSD, which is somewhat beyond the scope of pfSense, has issues with certain corner cases in DDOS attacks where a few megabits per second of traffic can take down a firewall that should be able to handle many gigabits. That is pathetic, but strangely the industry norm.
It's not a fundamental issue. Even if the issue is beyond pfSense, pfSense could try to use it's business connections to light a fire under FreeBSD to fix these issues. Maybe it's an awareness issue. Maybe it's already being looked at. Maybe the issue is moot once pfSense 3.0 is out and it's not worth the relative short-term effort.
Whatever the problem is, it's not a "can't be done", but some combination of communication, technical debt, and incompetence (not in the insulting use of the word, we're all incompetent at something and we strive to fix that).
The end goal is to make volumetric DOS attacks the only viable attack method. Grossly asymmetric resource attacks are just poor programming being exposed. A bit of napkin math can show that pfSense(FreeBSD network stack) can spend in the ballpark of a trillion clock cycles per packet under certain attacks. What is it doing?!.. See below.
There is a company that uses FreeBSD to block DDOS attacks, quite successfully. They had a BSDCon presentation some many years ago. Not sure how much they have upstreamed, but their talk showed that there's a lot of low hanging fruit to make FreeBSD magnitudes faster. Most has to do with replacing O(N^2) algorithms with proper O(1), O(log N) or regrettably even O(N). Some of the higher fruit is not having a globally shared state table, but one per core, which allows lockless/contentionless data-structure access and manipulation.
@derelict thank you for your help, ive gone through the 2 devices and set the DNS servers to the ones used in pfsense and now they work.
not sure why i had to do it this way while the 1st device just worked on its own.
anywho its setup and working the way i want it, so thank you to everyone whos tried to help
@emwee said in How to enable Whatsapp through the proxy server:
Create a firewall rules. With your alias as destination ports.
Hi, I know this is an old thread, but could you explain how to create this rule step by step ?. Thanks!
@viragomann said in Redirecting RDP:
Basically it's not recommended to expose RDP to public addresses.
While I second this advise there's another possible solution: just make your work's public IP the only source allowed to connect to your RDP session (once it's working).
Ah crap :)
Honestly it doesn't seem like that issue, but if states are just wonky (i.e. setting them when the traffic should in fact be blocked) perhaps I'll have to get 2.4.4 running in alpha on production - already doing it on our Netgate boxes, but really scared to do it on infrastructure I don't own :)
