Firewalling

• C

  Want to Block 1IP from using Internet when VPN goes down
  • comet424  

  50
  0
  Votes
  50
  Posts
  188
  Views

  C

  @Derelict I have 1 more question if you might know.. the no_wan_egreess works as long as my vpn I don't check the box "Don't Pass Routes" if I enable it... The IP Address I have Tag NO WAN EGRESS is automatically blocked yet should be using the VPN but I notice I need to check Don't Pass Routes to get my XBOX to work bypass VPN do you know how to get get the rule to work for the VPN and TAG No Wan Egress when you check "Don't Pass Routes" and should I be using that check box or not... whats the difference I tried googling info but I didn't find info if you have a link that explains the 2 be good too but I figured I ask you about that since your very smart at this stuff
• B

  pfSense has detected a crash report or programming bug. Click here for more information
  • bokikay  

  4
  0
  Votes
  4
  Posts
  82
  Views

  

  To be useful, folks here will need the entire crash report properly formatted. Post it as a linked file so it can downloaded and viewed by others. What is showing up now in your last post is not useful at all. Is your box up and running OK now, or is the crash a recurring thing? Perhaps it was a one-off type of event.
• 1

  Outbounding traffic from LAN
  • 19Giugno  

  14
  0
  Votes
  14
  Posts
  67
  Views

  

  @19Giugno said in Outbounding traffic from LAN: adding the pfsense as DNS to the machines make the job! Not adding - ONLY!! You can not point multiple dns that do not resolve the same stuff or your going to have a bad day.
• B

  Google captcha
  • bokikay  

  5
  0
  Votes
  5
  Posts
  94
  Views

  B

  @Gertjan Thank you very much sir. I got it now
• N

  Rules not working as desired on WAN interface
  • njlinuxmike  

  16
  0
  Votes
  16
  Posts
  59
  Views

  

  Yeah if you bridge you can control traffic that flows through the bridge. So yeah if you have input on one switch port that is bridge to the rest of your switch ports - then sure you could filter at the bridge point.
• H

  Firewall blocking live stream
  • higginscomputer  

  8
  0
  Votes
  8
  Posts
  87
  Views

  

  Sorry but being new to pfsense, you should not be installing IPS and Proxy and pfblocker out of the gate! As stated by bmeeks already.. Remove them and ramp up to using those advanced features. IPS for sure is not something you click and run with it. And to be honest pfblocker has become almost too powerful for the less experienced user..
• V

  I want to block some secure websites"like sports, news ,Socialnet".
  • vishantkamboj  

  3
  0
  Votes
  3
  Posts
  41
  Views

  

  Squidguard relies on squid. If you configure squid properly, you can filter HTTPS URLs without needing pfB.
• D

  Allow 1 Opt1 device to access 1 LAN device?
  • Dave07  

  9
  0
  Votes
  9
  Posts
  197
  Views

  

  You can edit the thread title and add solved to it if you so desire.. The time it took you to ask me to do it, you could of done it yourself faster ;)
• A

  [solved]Not sure what this is
  • Actionhenk  

  8
  0
  Votes
  8
  Posts
  43
  Views

  A

  Think I found the cause, there was a floating rule with source this firewall which had a port alias configured with port 443 at the near top of the rule list.
• A

  Automate easyrule from remote host
  • akvadrat  

  4
  0
  Votes
  4
  Posts
  945
  Views

  L

  @akvadrat said in Automate easyrule from remote host: min and not root. Is it not possible to set NOPASSWD when "running as" ad sorry for reply this old post, but i'm lookin for some like this... @akvadrat cant you share your workaround in fail2ban to write or execute the eary rule action... to add and remove the hosts ip address... ad the moddifield maked to pfsense box on sudoers etc .. thanks
• I

  Disable logging for "Default deny rule IPv4"
  firewall • • ibbetsion  

  3
  0
  Votes
  3
  Posts
  45
  Views

  I

  Thanks for the pointer to the settings tab. Dunno how I missed something so obvious!
• R

  [Solved] Can't get SMA solar inverter to communicate
  • rosch  

  23
  0
  Votes
  23
  Posts
  645
  Views

  O

  MIght be worth doing a packet capture on pfSense and opening it up in wireshark and filter on SIP. We are dealing all kinds of solar sma inverter in chennai
• B

  Problems pinging between IPs on a VLAN subnet
  • bwanajag  

  8
  0
  Votes
  8
  Posts
  71
  Views

  

  @bwanajag said in Problems pinging between IPs on a VLAN subnet: I understand clients on the same subnet do not need to route, but I don't understand why that means devices on a given subnet won't respond to pings from another device on the same subnet. pfSense is issuing IP addresses to devices connected to the VLAN (DHCP is working), but I cannot ping those devices from the ping tool within pfSense. Is this normal? One all devices have received their DHCP addresses, you could disconnect pfSense from the network entirely and it should not make a bit of difference between devices on the same subnet. Your problem is with those devices, not pfSense.
• I

  Should "Reserved Networks" be blocked when pfSense is behind an ISP router?
  firewall bogon • • ibbetsion  

  3
  0
  Votes
  3
  Posts
  65
  Views

  

  That is multicast noise most likely from your router it self, ie that 192.168.1.1, which seems odd that is being block by the ULA rule fc00::/7 ? If you do not want the noise, and your behind a nat.. Then either turn off logging of those rules.. Or create rules that specifically block the noise but don't log it.
• I

  Finding devices with hardcoded DNS
  firewall dns nat • • ibbetsion  

  3
  0
  Votes
  3
  Posts
  76
  Views

  I

  @elvisripley Thank you for that invaluable insight. I was able to make a few tweaks based on your guidance (caused lightbulbs to go off in my head!) and I am now able to see the queries!
• C

  Removing spurious rules that don't show in the GUI
  • cwdolphin  

  12
  0
  Votes
  12
  Posts
  57
  Views

  C

  @jimp So the main issue is that I'm getting errors in the GUI There were error(s) loading the rules: /tmp/rules.debug:116: syntax error - The line in question reads [116]: nat on lagg0.22 proto tcp from 192.168.100.0/24 to 1.1.1.1 port -> (lagg0.22) @ 2019-03-13 14:14:38 I assume that this is because the actual port value is missing so whatever is adding the rule is adding it wrongly. The same rule exists further up with the port specified. Assuming all the other rules aren't actually creating any problems despite the fact there is no reflection enabled then there's at least that one.
• K

  Block only google drive upload
  • koko_adams  

  4
  0
  Votes
  4
  Posts
  66
  Views

  A

  If it's as simple as drive.google.com, you could set the Domain Override in Services -> DNS Forwarder to resolve it to nothing. That's the "!" character in that entry. I say simple above, but it's probably not that cut-and-dry... I don't know for sure if google drive has a much larger reach, domain or IP address-wise. Read more about dns forwarder here: https://docs.netgate.com/pfsense/en/latest/dns/dns-forwarder.html Jeff
• P

  Good Case for Floating Rule? Duplicating rules across interfaces
  • pfsensefanatic  

  7
  0
  Votes
  7
  Posts
  82
  Views

  

  Yeah that's just VLANs. They are logically separate from each other and behave as separate interfaces. If you want to pass traffic from VLAN 1 to VLAN 2 you need to pass it. You can do what you want with floating rules. I just think interface group rules can be more straightforward.
• P

  Routing issues after Upgrade (2.4.4) - No (ICMP) Reply to packets
  • pf_Thomas  

  9
  0
  Votes
  9
  Posts
  115
  Views

  P

  Ok. HA is back and online... but the initial issue still exists :-( Nothing arrives at .102
• T

  samba 4 AD and pfsense
  • toni networking  

  7
  0
  Votes
  7
  Posts
  134
  Views

  T

  Thanks johnpoz is working now
• M

  Can't turn off default Deny Private Networks rule
  • mark hisel  

  13
  0
  Votes
  13
  Posts
  151
  Views

  M

  Right On johnpoz!!! Android just got a response from the server! Thank you very much!! You know, it seems like it should be easy, but it's kind of like driving through a new city on a complicated freeway. It's pretty easy to get overwhelmed. Thanks again !!
• L

  Credential Handshake not working on pfsense but working on normal router setup
  • Leckbush  

  3
  0
  Votes
  3
  Posts
  92
  Views

  L

  I resolve the problem. The IP we use in WAN was not allowed on the server side we're trying to login, So we can only reach login screen but can't login. Lmao
• K

  Issues with pfsense firewall log
  • koko_adams  

  9
  0
  Votes
  9
  Posts
  99
  Views

  

  That is not the capture.. Download the file and post up the pcap file. But 10.90.90.90 is your SWITCH IP, or is that the camera IP?
• R

  LAN to LAN rules, is it possible?
  • rfanch3r  

  4
  0
  Votes
  4
  Posts
  148
  Views

  A

  There are some screenshot instructions in that post I linked to. In a nutshell, on your LAN DHCP interface, you set the DNS server to the pihole address on the "other" network. Then, on your LAN interface, you make a port forward to get DNS traffic moving to the pihole. Allow that port forward to auto-create the companion firewall rule. Then point the pihole back to pfsense. And then, finally, set the DNS resolver to "enabled" in pfsense. That means the pfsense box will ultimately run the DNS resolving and caching for your LAN network, after it has been sanitized by the pihole system. Jeff
• T

  OpenDNS over OpenVPN
  • TomHBP  

  7
  0
  Votes
  7
  Posts
  136
  Views

  

  @tomhbp said in OpenDNS over OpenVPN: The internet connection goes down. What is the exact definition here ? Connection totally down or just DNS traffic ? Anyway, it's time to unhide your setup and rules.
• 1

  Filtering URLs
  • 19Giugno  

  5
  0
  Votes
  5
  Posts
  103
  Views

  1

  @bmeeks said in Filtering URLs: @19giugno said in Filtering URLs: @kom said in Filtering URLs: You can either tailor your port forwards to only allow specified IP addresses as Source, or you could do it via web server directives in the site's config file, or via .htaccess. But can;t I create an alias for List 1 and an alias for website 1 and a rule to match them? Only if website 1 has a different IP address from website 2. Firewalls work off of the IP addresses and port numbers in an IP header. They don't understand URL text. What would you put in the alias you create to differentiate between the two websites? The web server software itself (Apache, nginx, etc.) is what would read the incoming HTTP headers text and then route the request to the proper website. That's what @KOM was referring to: setting up filtering on the web server itself because that's the point in the chain where the acutal URL is decoded. Thanks!
• J

  Traffic blocked randomly
  • Jules13  

  14
  0
  Votes
  14
  Posts
  172
  Views

  J

  Yes I disabled hardware checksum offloading, Sorry I was sure I have said that it was a proxmox VM, but it is not the case. Yes I followed this tutorial to install PfSense
• I

  Blocking all IP's except a few one
  • ijazm  

  6
  0
  Votes
  6
  Posts
  87
  Views

  

  Ok for the image but it doesn't help us much to answer. What interface ? Restrict access to the GUI, and if so, http ? https ? both ? - or no access at all (no ICMP, no DNS, no TCP, no UDP, nothing) ? From LAN ? From WAN ?
• P

  How to Limit Steam Traffic PFSense
  • pixfour  

  1
  0
  Votes
  1
  Posts
  60
  Views

  No one has replied

• S

  Pfsense 2.4.4 no internet access! Help please! (Solved)
  • smrehan00  

  13
  0
  Votes
  13
  Posts
  214
  Views

  S

  @akuma1x @KOM Thanks guys for your help.
• T

  Pfsense in Stateless mode
  • Thoufiq  

  13
  0
  Votes
  13
  Posts
  248
  Views

  

  @jimp said in Pfsense in Stateless mode: So fix the other device so it doesn't do that :) Yea, don't I wish. Step 1 would be to define the problem, which I haven't been able to do yet. Or don't go stateless, but setup sloppy state rules: Unfortunately, sloppy state rules don't work either. My current goal is to get this working in stateless mode, and then slowly add firewall rules to protect things. I tried it the other way around (firewall rules first), but couldn't get pfSense to work long enough to get any work done. So the question remains, after I've tried 'allow all' rules that have the state set to either keep, sloppy, or none, and that doesn't work, and I can't throw out the oddball product, what do I try next to allow traffic thru.
• G

  Policy Server?? Work VPN
  • gsmornot  

  1
  0
  Votes
  1
  Posts
  59
  Views

  No one has replied

• N

  firewall for windows network
  • nikhil  

  3
  0
  Votes
  3
  Posts
  80
  Views

  

  Well said bmeeks.. A edge firewall is much different than a host firewall.. But with the right know how it is possible to do some application based filtering with the openappid and snort. https://www.netgate.com/blog/application-detection-on-pfsense-software.html But yeah that is going to be a steep learning curve for sure, for someone that had to ask the question in the first place. If your goal is to prevent applications from doing xyz - that is the place of a host firewall. But normally if your to a point where you want to filter chrome or skype from being used in windows environment you would just prevent those applications from even being installed by users.. If you can give us more info on your overall network - running AD? Are your window machine user managed - ie sort of BOYD setup? Or are they managed by You/IT dept? What exact sort of scenarios are you wanting prevent? Are you wanting to allow for example skype to be used to video call other users in your org/location/family - but not allow free access to anyone? etc.. This is where the suggestion of hiring the correct staff or company to manage your expectation of security is key.. Actually useful valid security always comes at a price.. Be it in the learning curve if your going to do the work yourself - or in the cost of the appropriate hardware and or licensing of specific software to do what you want to do with your current skillset. While you can for sure do some amazing things with pfsense be with something like OpenAppID or IPS in general or Proxy for filtering categories, etc. etc.. If you do not have the skillset or the staff that can leverage opensource or free/lower cost tools. Then you have to pay for the higher end stuff like like commercial based proxy or NGFW with application mangement like a PaloAlto or etc.. All have license cost that can be prohibitive for the smaller shops - and while they do make doing X much simpler since they do all the background work for you (reason for the license costs) you still need the appropriately skilled staff to manage them, etc. Implementation of valid security controls is also going to cost a price with your user community... Be it they could do X before and now it doesn't work, but to do their job (atleast in their minds) they need to do X, etc. etc So there will be learning curve and training required for the user community along with normally higher support hours/cost to manage the expectations and issues that the heightened security will create - atleast in the beginning.
• B

  Pfsense Azure - Internet by WAN and not by Azure
  • Brownie  

  1
  0
  Votes
  1
  Posts
  58
  Views

  No one has replied

• J

  New Install - Missing return TCP traffic to LAN
  • jacque8080  

  4
  0
  Votes
  4
  Posts
  96
  Views

  

  Dude you can not have your wan and lan in the same network - so yeah no shit nothing is going to work!
• S

  Re: [Pfsense 2.4.4 no internet access! Help please!](/topic/141182/pfsense-2-4-4-no-internet-access-help-please)
  • smrehan00  

  1
  0
  Votes
  1
  Posts
  52
  Views

  No one has replied

• 7

  How to setup pfsense as a front-end AV and firewall only
  • 7h3Monk  

  1
  0
  Votes
  1
  Posts
  84
  Views

  No one has replied

• A

  Limit traffic from Openvpn interface
  openvpn pia • • alep11  

  3
  0
  Votes
  3
  Posts
  78
  Views

  A

  @rico Thanks will take a look
• A

  Logging connections, not their content
  • anmnz  

  7
  0
  Votes
  7
  Posts
  162
  Views

  A

  Thanks @gertjan! I don't actually have the specific IP addresses my network is allegedly making connections to, but these instructions are excellent and showed me how to do what I wanted which is to log all outgoing connections from my network. Thanks very much indeed for taking the time!
• H

  Route to WAN with ExpressVPN enabled
  • hanzomain  

  1
  0
  Votes
  1
  Posts
  57
  Views

  No one has replied