Thanks @hieroglyph, the dns redirect now shows some activity

here is the detailed information on the nat port forward page

mostly was looking for validation that my newly added rule didn't introduce any vulnerabilities.

@harvy66 LAN1 and LAN2 are ports on the same nic. Intel 4 port card.

The CPU utilization is 10 to 12 %. Not heard the HT recommendation before I will give this a try.

If there a way to run rPerf between WAN and LAN? I have the package installed.

@lindhe said in Failing to add URL alias with mixed IPv4 and IPv6 addresses:

Do you know if I can always "upgrade back" again if I go from 2.4 to 2.5, if something breaks?

Not you can not auto "upgrade" to 2.4.. Just make sure you have a backup of your config.. And install media.. Be that CE or if your FE, open a ticket with netgate and they will send you link to FE copy you can download.

So if you decide you want to roll back, its really simple.

But to be honest 2.5 is close - I would be surprised if there was an issue that would force you to roll back.

Thanks for your help. I'm all set now.

While I was going to suggest that - its not really the same thing as ipset. But ipset ties in with iptables, and pfsense doesn't use iptables - even if has dnsmasq..

But yeah its the closest thing.. But what is kind of kewl with ipset, is you can set netflix.com - and then anything.netflix.com would be in the rule. I don't believe, off the top of my head there is anyway to do that with aliases.. You have to be able to resolve the fqdn, or use a list of ip/netblocks..

@teamits and that was it. its working now I had turned off tagging on 5 earlier on opt 1 because i saw that the default lan didnt have 5 tagged. Probably everytime i did the setup there would always be one step i messed up because on other attempts i had it tagged properly. anyways its working now thank you!

@nachofest I think you can do it using Wireshark.

https://osqa-ask.wireshark.org/questions/48871/how-can-i-replay-a-tcp-packet-captured-by-wireshark

@vivek
without any other information about your configuration, I can only say that you have a block on port 443

@asdjklfjkdslfdsaklj I'm still having this problem. Like in the original post, I've tried it with scrub disabled etc. with no luck. Before it would work when pf was disabled, which lead me to think that it was a issue with pf (maybe something like https://redmine.pfsense.org/issues/8165), but now it doesn't seem to work even with pf disabled.

I am facing the same problem. Could you show me your rules? I can't get it right :-(

@azon2111 said in Using PfSense as a GeoIP filtering appliance ONLY:

self-hosted email where it actually thwarts quite a bit of spam messages

I know all about that one.
Back, in the 'good old days' I was said ones to myself : want to have my own domain names (private and company (a hotel)) and taking care of my own mails, as using a mail server from some where else binds you to the mail reputation of the host. Shared mails can be great, and the next day you can't mail to gmail, or yahoo, or whatever. Or the other way around : one of the biggest (Belgium) mail suppliers, skynet.be (don't laugh) was often blocked, me not being able to do anything about it.
So I went for the 'do it myself'.

What I did : tell postfix to be far more stricter as 'default' : for the incoming mail :
No reverse host name ? => Hang up the phone.
=> You say "Paul' but your reverse lookup says "Jack" >= assign a big penalty to start with (this one has a identity crisis / split personality / other issue )
No SPF ? => assign a big penalty to start with.
No DKIM ? => assign a big penalty to start with.
No DMARC (and IPv6) => assign a big penalty to start with.
Mail with added files that are forbidden, like exe, com, docx, etc etc ? => Drop it.
Then, with the already scored penalties, filter through spamassassin. And amavis - and razor. and more. If the mail is a winner => off to the spam box it goes.

We have a guy called fail2ban that analyses the main postfix mail log 24h/24. For every mail that comes in, and the simple server to server transaction 'stinks'or the mail looks like spam, that mail server gets blacklisted at firewall level.
This is the result. And this one to check for the reason why as SSH connects, Apache2 connects etc is also treated. Check out the "Postfix tab for more details.
After more then a decade, me doing close to nothing these days, 80 % of all mail is stopped right at the doorstep - reduced to a line in the mail log :

Like : 2021-01-21 16:10:10 postfix : From host a.b.c.d : Hi - and bye.

Take note : for me, blocking IPs based on a country is not possible, as our clients are from all over the world.
Example : last month, some agency called Expedia (States based) started to use a bunch of IPv4, formerly known as "from Pakistan ....".
What also happens is : I get mail from Egypt, Cairo. From a fried. LIves in Germany. Who forgot to shut down his VPN (he has a complicated live and many issues with things called "torrents").

Geoip IPv6 database will probably never exist as the one wouldn't fit in our galaxy. 25 of all our incoming mail is IPv6. And as aid in another thread this morning : my first IPv6 are already banned.
Btw : I even added some domain names used by friends to my mail server, as I knew they would send and receive a lot of mails. That was just perfect to auto-train my anti spam AI.

All this beauty is available of the selves, free, and keeps working over time.

I use a dedicated IPv4 and IPv6 for each domain. This is VERY important.

Also : self-hosted means for me : a 50 $ / month dedicated server in a big data center, as hosting behind an ISP line (our case) is a big no-no.

@gil said in Locking device to static mapping:

@bmeeks
Thanks for the info. I appreciate the point you are making

You do still have some options, abeit they require more work on your side.

My idea with VLANs and multiple SSIDs on wireless will work, but you need VLAN-capable switches and wireless APs.

Also the ideas put forth by @gpfsenser will work.

@captaindarth Yes you are right.
Denying outbound what is blocked by dns is an extra level of protection.
If you were using eg pihole, then you would hope the client does what pihole instructs (and doesn't try any hardcoded ip's directly)

My ip tab looks like this

and a test scenario blocking inbound would be like this

And I m not using the automatic rule generation, which puts rules first, which isn't what is required most of the times.

@chris-ett Absolutely.
On ipsec, you also have the possibility to"protect" ie allow networks, but thats an ipsec feature only.

Unless you were asked to specifically post in this category, you might do better posting in the specific pfBlocker category, since you're asking about that package...

https://forum.netgate.com/category/62/pfblockerng

@tgwaku said in LAN Interface not replying to ICMP Request from WAN Network:

i have no need to connect on ip 10.0.0.100 or to be able to ping ip 10.0.0.100. It was just something that i was wondering is possible to do?

It is very possible to do, just not in the sort of setup you have. If you had an upstream router, where you could create another network/vlan to use as a transit. And also allow that upstream router to nat downstream networks.

Neither of which are possible with your typical soho wifi router, atleast ones not running 3rd party firmware.

Then yes it would be quite easy and simple to have downstream router not doing nat where you could route to downstream networks, ie your 10.x network And then firewall off different protocols or ports if you wanted to.

But in your sort of setup, with the lack of features of your edge(upstream router) and your ability to do vlans on your infrastructure - no its not really possible. And the double nat setup is the easiest solution to isolate your network from the houses network. While still allowing access to resources behind pfsense via simple port forwards.

If your upstream router, ie the router you have connected to the internet was also say pfsense. And your switching and APs in use could do vlans - then there really isn't anything you couldn't do from a networking perspective.

@bmeeks, thanks a lot. That makes sense.

@johnpoz A warm and friendly reply as usual . It's been answered to my satisfaction now but I appreciate the reply, I won't bore you with the details of my network layout. Thanks anyway.

Hello!

The same thing happens if the fqdn points to a local device, which is the normal use case for me.

The feeling I get from aliases is that they are finicky.

The idea that you could setup an alias and get one result, and that I could setup a similar alias (I used a /28 network, not a single host in my test) and get a different result bears this out.

I get the same vibe when reading through bugs like https://redmine.pfsense.org/issues/9296
There is lots of interesting reading in redmine about aliases.

I hope that aliases are working well for most people, but I do have to agree that at times they have "driven me crazy".

John

@manatee Your best bet would be use pfBlocker-NG and use ASN numbers to create an alias to use in your firewall rules.

@just-enuff said in Packet Capture not seeing traffic within internal network communication:

All of that being on LAN. So if i capture packets on the LAN interface in Pfsense wouldn't it do it from the gateway perspective with ip of 192.168.1.1?

No. Read up on how switches work. Switches rely on the MAC address to forward the frame to the appropriate port. So, if A sends to B, pfSense on C will not even see it, let alone capture it.

@x_xavier_x Looks like I fixed my own issue. Added a rule so that anything going to the private network gets routed to default gateway, after that everything else is routed to the ATT gateway.

@bb-mitch
idk, I'm not using it every day but those few times that I used it I never really noticed the problem

@luckman212 Just in case people find this, I started a new post:
https://forum.netgate.com/topic/159884/pfsense-pfctl-bug-clicking-x-does-not-kill-states

I also have a new post on opnsense:
https://forum.opnsense.org/index.php?topic=20901.0

I will try to keep both updated. Thank you for posting your success. I LOVE it when people do that.
Can't stand when people don't follow up with their own question or just say "fixed it".
So you sir, ROCK.

I try to bring this up again, maybe we will get an answer from somebody who is capable of answering this^^

best regards

@t-rr-ex
maybe try to temporarily disable "Block bogon networks" under interface / wan
i don't see any 5.102.x.x on my /etc/bogons, strange.. i don't have that option enabled, firewall rule are more than enought, maybe a bug or it was present on that old version you are using

@girkers said in Things not logged in FW:

recommended Reject rule

And where is that recommended? If you would of showed us that from the start - could of answered you question in the first post..

That is not the default for lan by any means.. No info ends up with yet again multiple posts to pull info to try and help someone.. To solve their own pebkac problem.

@amello
Well, finished my tests and got it to work. No changes to the ISP equipment.
I might have a problem with that installation as changes are not applying after filters reloads. It takes over 5 minutes after it completes to start working.
The box is an i5-3470 with 4MB RAM and the it's running using 1% of the CPU, so no other reason for the delay I can think of, besides some garbage inside that install.
It is working now, but I can't say what caused to stop working in the first place (I do hate those it was working before and not it is not statement).
If I find out will post again.

Thanks for the reply.

@smokinmojoe said in pfSense Default(hidden rules) visible(Read Only via GUI):

Maybe these should be grey or red

Hi,

this is how you can influence this:
https://docs.netgate.com/pfsense/en/latest/development/feature-requests.html

Post up a screenshot of your rules.

Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.

If your saying your not seeing any hits on your rule either in the interface firewall tab (the 0/0 in states column) or the log when you have the rule set to log.

Then its not being triggered. Most likely because you have the rule written in such a way its not matching.

So show us the rules you actually created via a screenshot, and then the log entry your seeing..

@lilmonkey said in Sample firewall policy home network:

I am interested in some samples as well.

each network is different (SOHO, Enterprise, etc.)

there is no one that can present a sample for your network...
without prior information, - and knows nothing about your devices and plans

(you can learn the philosophy of pfSense (NGFW) from the links provided - of course you should also have networking experience)

pls. post a planned network topology and you'll get plenty of help

BTW:
what do you mean by this VoIP thing

nah! doesn't do a thing!
As long as the VIP is existing, the second filter gets created and therefore applies the Block to anything not coming from whatever the VIP's IP is.
The VIP itself is created automatically by pfBlocker. So no way around the !Net Problem. However - it should'nt have any impact as the rules effect is applied by default deny anyway.

--> geoIP... another topic for another day. ;-)

take care

P