In pfSense you may also let create the firewall rules for incoming traffic automatically by the NAT prot forwarding rules. Take a look at the option "Filter rule association".

If you allow traffic from an internal interface to the internet with destination "any", this allow also traffic to other interfaces, off course. If you don't want this you have to restrict the destination in your rule. E.g. you can set the invert check at destination and select LAN net to allow access to anywhere but LAN. If you need different subnets here, add an alias including all at first and use this alias in the destination box.

Nope, didn't work. I already have a outbound rule that has my VPN subnet set to any dest. I can access everything else on my network, just not this jail and only when connected to vpn.

Hey,

I notice no one has answer you yet. I am also new to pfsense, but I understand it pretty well so far and to check if it's actually working you can you can look under services\snort\interface. It should have snort status green check mark with refresh button and stop button. If not then it has not been started or is not running basically. I do not have firewall check since their is no need as snort is enough on dashboard and if you want more from firewall logs you can go to service\system logs\firewall. I am also a subscriber to snort talos/VRT but I do not have neither snort gplv2(no need to check this since your a paid subscriber)\EMT\openAPPID check since it's just paranoid if you do lol. The only thing I assume your not seeing much blocking is because you have it on connectivity policy. If you want to make sure change it to balance and restart snort services. Hope that helps.

U3

The was with squid proxy server. I removed the "keep data" option and reinstalled.

The default deny rule is available on any interface, also additionally created ones.
The default allow any to any rule is only created on LAN interface automatically. For all other interfaces you have to add allow rules manually.

Thanks , I did not realize that, the former Linksys used to open both

Destination WAN is not the internet, it is the subnet of your WAN interface. Destination any is the internet.

Hi

I found a good document describing how to setup correctly a bridge:
http://users.ox.ac.uk/~clas0415/assets/Setting-up-pfSense-as-a-Stateful-Bridging-Firewall-with-commodity-hardware.pdf

After making all the steps described there, it worked fine. WAN and OPT1 still have no IP configuration. I think changing the advanced settings and disable the auto-creation of NAT rules completly solved the problem.

Thanks for your help.

Hi John,

Just PM'd you.

Thanks,

@ptt:

??? maybe –> https://doc.pfsense.org/index.php/Low_Throughput_Troubleshooting#MTU_Issues

Tried with different MTUs, no difference.

And for the different machine i guess it was a strike of luck because i just tried with another mac and does not work.
The i switched network plugging the ethernet in the modem/router and works, same machines.

Its really pfsense that is doing something but i do not know what.

ATM pfsense is virtualized in KVM, maybe is that the issue? But it will be strange because it has support for it….

EDIT: ok, i got this: https://forum.pfsense.org/index.php?topic=88467.0
I had to set tx off in br2 and br3 ( LAN and WAN bridged for pfsense vm) and seems to do the trick...

OT: Seems true that the moment you ask for support you start to realize things...  :P

Thank you for the answers!

Dear all,

Thank you for your advice, the problem has been resolved by delete and recreate both rules.

I think the issue is due to "copy rule" or "Filter rule association". The rules are created before 2.3.2p1 updated and they are working fine, just having problem after update.

I also tried Viragomann suggestion but stuck at select "Interface".

The default deny does not fire first..

If there is no state for this traffic then none of the allow rules would allow it since its NOT syn to open a conversation.

No sate then blocked.  Unless your starting a conversation with SYN.. and the port your going to with this SYN is allowed.

All of those packets are FIN.. ie your private IP is done with the conversation..

TCP will retans if doesn't get answer.. So if I want to close and I send you Fin,ACK proper close is send Fin back.. If he doesn't see the fin back he will try and send again..  Hey buddy I am done talking to you, are you done too..  Normally what would happen is if he doesn't get answer back from his fin, he would send a RST saying hey not sure if you got my fin.. But I am DONE talking to you..

Why a state is missing in your firewall no idea?  Do you have pfsense reset states on loss of gateway?  This might be the default behavior?  So if your wan goes down, pfsense can reset all the states.  If that happens and you had a client that was having a conversation - he doesn't know that and just keeps trying to talk, etc.  Which those would be logged as blocked.

You could try sniffing all the conversations from one of your phones.  And then match those up to your log entries to when you see out of state, etc.  Or you could just not log it and don't worry about it until some complains that something is not working.  I don't log that stuff, I just log blocked SYN packets.

Correct me if I'm wrong, for each server I should NAT to Internet I have to go through all VLAN to create rules for them to get access to servers that already are on the internet?

Yes.  It's definitely more work, but it is the better, more elegant solution.  If for whatever reason you don't want to do that then your only other option is NAT Reflection from that same link I gave you.

Here are some basics on setting up custom rules, as opposed to having the default 'allow all' rule on outbound LAN rules:
https://doc.pfsense.org/index.php/Example_basic_configuration

Firewall rule schedules:
https://doc.pfsense.org/index.php/Firewall_Rule_Schedules

Limiting bandwidth:
https://doc.pfsense.org/index.php/Limiters

Port forwarding:
https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

If you're really considering making your DVR available from external networks, make sure you lock down access to it - change the default admin password, for starters. The recent Dyn DDoS attack was carried out using mostly unsecured webcams and DVRs which were open to the internet.

Hi, Thanks for all the replies, this is on an internal firewall between a DMZ and LAN so I believe RST's should be a safe option here.

From what I understand from some of the posts here, is that a normal reject rule should indeed pickup out of state packets. When I get a chance to take everything down again, I will take some tcpdumps and try and see if I can see any RST's being generated.

Upgrade would be my guess.

What dotdash did would allow it on 25, and stops others from talking on 25, but what sounds like he only wants his exchange server to talk 25.  So it needs no other internet access?  No windows updates, antivirus, etc.  It has not need to talk to anything on the internet other than 25?

How does it look up these mail servers its going to send email too?  Does it ask your pfsense for dns?

Your going to need to create rules that allow it to talk to pfsense for dns, or how would it look up the MX records.  Or some other dns.  Then create a rule that allows it out on tcp 25 only.  Then under that create a block rule for any any for its IP.

That's something you would need to configure in the Fortigate. I can't help you with that.

Is there a reason you're not just terminating the VPN in pfSense directly? I could help you with that.  ;)

Steve