@Gertjan

I figured it out. It was my old IPSEC tunnel. It was capturing the traffic, so the rules never really impacted the traffic. Once I removed the IPSEC tunnel, the rules started working, as mentioned.

@viragomann Yes, actually, I made Allow any to any rules for all interface including bridge interfaces for testing. I wanted to see traffics going right direction and compare what I expected.
However, after I provides IP address to bridge, I'm getting less information from firewall.

From the firewall state, (PC-B to PC-A)
[Any 10.10.40.4 -> 10.10.30.3 SYN_SENT:ESTABLISH]
BRG2 10.10.40.4 -> 10.10.30.3 SYN_SENT:ESTABLISH
BRG1 10.10.40.4 -> 10.10.30.3 SYN_SENT:ESTABLISH

However, I found two solutions.

Creating rules in floating tab with enabling quick Make BRG1, BRG2 as a one interface group and creating rule.

I have no idea why those can be the solutions but seems like there's something related rule priority.

Thank you for taking care of my issue.

@johnpoz

Many thanks for the help, advise and comments noted.

Thanks again.

CC

@chris-doldolia Hello! You can safely make configuration changes on a running pfSense firewall, it's designed for that. Most settings apply immediately without needing a reboot, though some services (like IPsec, OpenVPN, or interface changes) may briefly interrupt traffic when restarted. Just make sure you have console or alternate access in case something goes wrong.

@johnpoz I am glad you also noticed it, I see it a lot on my proxy I decided to block it and see what breaks but nothing changed so far. I also have the DNS manually set on the iMac, so it should not attempt to use DoH

@Gertjan @JonathanLee ,

I appreciate your comments and your time for this.

I found that our ISP modem keeps sending login page when it thinks connection state is not made properly. (From development tool, I was able to see '302 Found - too many redirects')

The issue of this was NAT, because when my IP NATing to interface IP, source port kept changing as well.

I have created NAT rule with static port enabling, and it resolved my issue.

Thank you very much.

@CatSpecial202 The traffic is not being blocked because it is considered part of the RFC1918 space. Your rule is not a block rule, but rather a PASS rule (!RFC1918).
The traffic is blocked by your rule though - but thats because the IGMP multicast packets that was intended to be passed by the rule has IP options enabled that the default IP options filtering in the rule denies. Hence it blocks the traffic. Seach for IGMP filtering blocks traffic on this forum to understand the problem and configure your rule accordingly.

Fx: this thread https://forum.netgate.com/topic/187896/how-to-stop-logging-blocked-lan-igmp

Remove potential filter apk

@KOM Many Thanks for the reply ! ...good to know...

@CZvacko to be honest have no idea what would cause that.. But I don't have anything on my network doing ws-discovery either (ssdp).. At least not to ipv6 multicast..

It appears after more digging I found my fix. Sort of my fault In a way. I noticed in the command above that my rules that were being applied from the webgui were not showing on the backend rules. After scratching my a head a while, I looked at pfblockerng and noticed it was creating a lot of table IP entries and erroring due to limit. I did enable Geo and IP blocking which would created massive lists and due to this getting stuck it wouldn't write my firewall changes down. So I have adjusted the list limit and audited the IP lists I have enabled, and my rules are now showing.

@Spiney ip options is not his issue that is for sure.

@johnpoz I think I know why it fails. Once again, I realized that a software man cannot afford to be lazy. I scanned the entries, and realised (to my amazement) that there are many invalid entries, i.e. ones that contain characters that cannot exist in a domain name, the most common one being the humble "/" (slash). It appears someone did a sloppy job there. "Mystery solved, I guess; right?" (https://www.youtube.com/watch?v=dDmqOott-_4)

@Sergei_Shablovsky

You're absolutely right: profiling firewall rules by CPU cycles and traffic impact can help drastically optimize a pfSense firewall ruleset. However, pfSense (based on pf from OpenBSD) does not natively provide per-rule CPU cycle measurements, unlike ipfw which does have more granular counters and optional DTrace integration on FreeBSD.

Let's break it down and explore both what is and what could be done:

What You Can Do on pfSense Today:

1. Monitor Per-Rule Packet/Byte Counters, Each firewall rule in pf already tracks:

Number of packets matched Number of bytes matched

You can see this via:

pfSense GUI:
Go to Diagnostics → pfTop, then choose rules or rules (bytes) views.
CLI using pfctl: pfctl -vvsr
This will output per-rule stats like:

@1 pass in quick on em0 proto tcp from any to any port = 22 flags S/SA keep state (if-bound)
[ Evaluations: 1000000 Packets: 123456 Bytes: 12345678 States: 5 ]

2. Estimate Rule Cost Using Hit Rate and Rule Order
pf processes rules top-down. A rule near the bottom of a large list with lots of matches is inefficient.

So:

Reorder rules with higher hit counts closer to the top

Eliminate or merge redundant rules

What You Cannot Do (Yet) on pfSense
No Native CPU Cycle Measurement Per Rule
Unlike ipfw, pf does not profile CPU cycles per rule. Reasons:

pf is a stateless rule matcher with fast path optimizations; its kernel code isn't instrumented for CPU-time profiling.

pf focuses on packet path and counters, not runtime cost metrics.

Alternatives and Advanced Workarounds

Option 1: Use DTrace (FreeBSD only, not available on pfSense CE/Plus)
If you're on vanilla FreeBSD (not pfSense), you can:

Enable DTrace

Hook into pf_test() or pf_check_in() functions

Measure time spent per rule using custom probes

Sample DTrace snippet (illustrative only):

pf:rule:match
{
self->ts = timestamp;
}

pf:rule:exit
/self->ts/
{
@time[rule_id] = quantize(timestamp - self->ts);
self->ts = 0;
}

But again: this is NOT available on pfSense directly. You’d need a custom build.

Option 2: Mirror and Benchmark in IPFW (Test Rig)
If optimization is critical:

Export the same ruleset to a test VM running FreeBSD + IPFW

Use ipfw's net.inet.ip.fw.enable=1 and enable per-rule accounting:

sysctl net.inet.ip.fw.verbose=1
ipfw -a list
Simulate traffic and observe both match counts and CPU impact (possible with DTrace).

Suggested Metrics for Rule Profiling
Metric-------------How to Get-----------Use for Optimization
Packets per rule----pfctl -vvsr-----------Prioritize high-hit rules
Bytes per rule------pfctl -vvsr-----------Identify bandwidth-heavy rules
Rule evaluation order----Rule position in pf.conf---Push common rules up
State counts-------pfctl -ss-----------wc -l
CPU usage (global)-------top / systat -vmstat--------Coarse measure of FW CPU impact

@bchan said in Lot of IGMP blocked in Firewall log:

IGMP

Read https://forum.netgate.com/topic/197149/new-pfsense-plus-25-03-beta-is-here/37?_=1749016620666 - the IGMP issue should have been solved in 2.8.0 as it's known now for a while now, and a solution was posted for 2.9.0 or whatever the future brings us.

The good news : throw IGMP in the forum search box, and you'll find how out to stop the IGMP logging.

@johnpoz Sorry was going to just had no time till now.

Thanks, @SteveITS

I finally saw that it is being updated, which is excellent.