@kilasin said in Cannot Open Ports:

i live in the woods pretty much so no other choice with Starlink

They got you covered 😊
.... and use the same approach as many ISP did in the past.
You want a WAN IP that you can reach from the Internet, so you can NAT addresses and ports.
As IPv4 is a very expensive resource these days, your wallet will be the solution.

Look here :

starlink static WAN IP ?

A little bit lower on the page I saw :

dff9dab2-6cd5-4b02-8288-ebddff655cb8-image.png

So ... go "Business" would be a solution....

@Gertjan said in Unknown connection:

You use a pfSense. You're good.
No traffic (that you don't want to) can come into WAN, whatever the source is. So, RFC1918, or something else, you don't care.

Yea, I'm in love with pfSense, are you?

@SteveITS @kiokoman Just wanted to thank you for all of your help. Everything is working as planned and I have a better understanding of how this works and how to troubleshoot. I am sure we will cross paths again and look forward to future insights.

@johnpoz Ok, thanks.

@johnpoz said in Deny outgoing traffic ipv6 for one device/phone:

then not using IPv6 is a very simple solution..

Not using IPv6 is a broken "solution". IPv4 has been inadequate since the day it became necessary to use NAT to get around the address shortage. The world should get off it's butt and move to IPv6, instead of the hack on hack that IPv4 requires. As for 1 application that requires IPv6, take a look at your cell phone. IPv6 is mandatory for 4G & 5G cell networks, as they use VoIP and using IPv4 and all the horseshit it requires would create an unworkable mess. Comcast also moved to IPv6 years ago, because their network was getting too large to manage with IPv4.

I would question the competence of any network professional that thinks IPv4 is good enough.

@SteveITS said in Sanity check for basic firewall rules:

@gld said in Sanity check for basic firewall rules:

rules for the OPTX interface (which are not associated with the firewall)

Then what is it? I'm a bit confused. OPT1/2/3/etc are the default names when adding more interfaces than WAN and LAN. Which some models call PORT1WAN for example. The documentation just assumes you've added OPT1 and need to configure it. You can name it anything, like DMZ or MYLAB.

"OPT1 subnets" would be any subnet assigned to the OPT1 interface.

I was using, as an example, the example in the documentation you referenced. The table in the documentation has the title, "Example firewall rules for isolated LAN type segment". Yes I understand everything you say here.

If you don't have a pass rule for IPV6 then that traffic is not allowed. Each interface has a default block rule.

My understanding is that to allow a subnet get out on the Internet with a IPv6 address there must be an IPv6 pass rule.

If the IPv6 addresses are automatically assigned then no you don't know the IPv6 subnets so using the aliases is probably better than creating your own aliases and having the IPv6 subnets change on you later. "PrivateNets" can be all RFC1918 subnets because those are known.

IPv6 is much easier if you let it be automatic. Add it to WAN, set a prefix delegation request large enough (/57, /60, depends on what your ISP allows) and set the internal interface to Track Interface. Then pfSense will get an IPv6 for WAN, and assign a unique block for the internal interface.

Yes. I was able to get this to work. I eventually got multiple subnets assigned IPv6 addresses. For them to get out to the Internet I had to add a IPv6 pass rule. After that the firewall rules similar to the documentation example you cited and I copied earlier failed to isolate traffic between the subnets I was trying to keep isolated.

I very well might have some significant misunderstandings about IPv6. I will probably take another run at that sometime in the future. For now I'm good.

@bmeeks

Thank you so much for such detailed explanation. It make sense why all my trials went in vain…

I will not overload the hardware with additional software that may or may not work.

For all of our web faced servers, they are behind a load balancers, and it make sense to use the load balancers to kill such traffic…

Appreciate your help so much

Happy thanksgiving to you, family and all pfSense users ☺️

@NogBadTheBad

made sense, so I tried it, didn't solve the problem, but finally lead me to bump the max table entries under System > Advanced, Firewall/NAT tab which solved the problem.

Thank yo very much.

@killmasta93
well freeradius is built in to pfsense, to me it makes sense to take advantage of already existing service. No I think there are two processes the DHCP will hand out an I{P and then the validation via the radius server would follow.

@Gamienator-0 High traffic web sites or content delivery networks will often rotate IP addresses sometimes every minute. That one has a very short TTL:

download.proxmox.com. 61 IN CNAME download.cdn.proxmox.com.
download.cdn.proxmox.com. 12 IN CNAME us.na.cdn.proxmox.com.
us.na.cdn.proxmox.com. 12 IN CNAME na.cdn.proxmox.com.
na.cdn.proxmox.com. 59 IN A 66.70.154.82

pfSense looks up the IP every 5 minutes by default. There will always be a chance the DNS lookup is not the same IP every time you check it, even if it is a few seconds later.

The pfBlocker package can create aliases from ASNs which are basically IP blocks you can look up by company name.

Take a look at the ipquery.io docs

As an update, I have confirmed this works as expected by checking the tables after nesting aliases within aliases within aliases.

I figured it would work, great to know, can really help clean things up in large environments.

@mohkhalifa said in Microsoft 365 and pfSense:

Microsoft created a JSON file includes all M365 firewall rules. Is there any idea to add it to pfSense instead-of creating them manually as they are too much.

Thank you

https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7

we use pfBlockerNG—specifically its (JSON, yes) parser and floating auto-rule creation functionality—to accomplish outbound IP whitelisting to M365/O365 endpoints.

any domains that may need to be whitelisted would need to be done so manually and depend entirely on what's otherwise DNSBL-blocked (if anything) in your environment.

@Gertjan said in Web gui stop working:

The default pfSense LAN IP is 192.168.1.1/24 - that's not a public IP, it's RFC1918 also called ""Block private networks".
On the LAN, the DHCP server is activated.
So, "attach" a device to your LAN, and it will obtain a DHCP lease (IP, network, DNS and gateway) and you can access the pfSense just fine.

Yes I know this way,
You say I use pfsense from a device that is in private network range , OK

So If I use web gui from lan and from a private network so it mean I close wan GUI access, can I use my wan ip fro NAT and other firewall rules like VPN too?