@Gamienator-0 High traffic web sites or content delivery networks will often rotate IP addresses sometimes every minute. That one has a very short TTL:

download.proxmox.com. 61 IN CNAME download.cdn.proxmox.com.
download.cdn.proxmox.com. 12 IN CNAME us.na.cdn.proxmox.com.
us.na.cdn.proxmox.com. 12 IN CNAME na.cdn.proxmox.com.
na.cdn.proxmox.com. 59 IN A 66.70.154.82

pfSense looks up the IP every 5 minutes by default. There will always be a chance the DNS lookup is not the same IP every time you check it, even if it is a few seconds later.

The pfBlocker package can create aliases from ASNs which are basically IP blocks you can look up by company name.

@killmasta93
The freeRadius server would do this. Any employee sneaking in their personal laptop or tablet would not hookup because of the lack of certificates and access to the FreeRadius server.
The problem with my plan below is to create the static ARP list you have to have employees laptop and tablets network adapter MAC addresses - difficult to get.

Before you go forward, from my perspective you are would be using as much labor to implement the FreeRadius server as to use static ARP entries on the DHCP server.
Realistically, how many employees/workers are actually getting on the domain and access the internet inappropriately? It does not make sense to lock down everyone when the culprits are , 10%, 5%. Way easier, in my opinion, to assign a static ARP on your LAN for the few violators, develop an alias from this list and put a block list to the internet from the LAN.
As you catch other employees it is easy enough to add.

Take a look at the ipquery.io docs

I like to know this to!

As an update, I have confirmed this works as expected by checking the tables after nesting aliases within aliases within aliases.

I figured it would work, great to know, can really help clean things up in large environments.

@mohkhalifa said in Microsoft 365 and pfSense:

Microsoft created a JSON file includes all M365 firewall rules. Is there any idea to add it to pfSense instead-of creating them manually as they are too much.

Thank you

https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7

we use pfBlockerNG—specifically its (JSON, yes) parser and floating auto-rule creation functionality—to accomplish outbound IP whitelisting to M365/O365 endpoints.

any domains that may need to be whitelisted would need to be done so manually and depend entirely on what's otherwise DNSBL-blocked (if anything) in your environment.

@Gertjan said in Web gui stop working:

The default pfSense LAN IP is 192.168.1.1/24 - that's not a public IP, it's RFC1918 also called ""Block private networks".
On the LAN, the DHCP server is activated.
So, "attach" a device to your LAN, and it will obtain a DHCP lease (IP, network, DNS and gateway) and you can access the pfSense just fine.

Yes I know this way,
You say I use pfsense from a device that is in private network range , OK

So If I use web gui from lan and from a private network so it mean I close wan GUI access, can I use my wan ip fro NAT and other firewall rules like VPN too?

@jimp Dude... You... are.... an... angel!!!!

I totally missed this and would never have thought of looking for this. You nailed it.

I just tried some scps just to see that uploading through the ipsec tunnel immediately failed and was suspecting my fibre provider etc. It was exactly as you suggested. Applying the patches and rebooting brought be back to a workable state and most likely will have solved my sshuttle problems as well.

I honestly cannot thank you enough! Well done mate!

@kprovost let me start out with two things:

Many thanks for your assistance. I really appreciate it. I obviously need more coffee... The target IP was a typo. I have not spotted that earlier since all my tcpdump were filtering for port 2055 only and of course I would have suspected to see outgoing packets of some sort (which I still do not understand why this was not the case).

However after fixing the typo netflows are being received now and I feel extremely stupid for not having that spotted earlier. Many thanks! Apologies!

@Rapho have youo read "Manually editing the configuration > Edit In Place" in the docs?

As in remove the /tmp/config.cache and restart/save/reload the part of the config you changed?

@Antibiotic look in your state table if client on your network is creating that traffic.. I take it that 92.x address is your pfsense wan IP..

Could be something inside your network trying to go there..

Example, if I try and go to https://10.0.0.1 my outbound rule blocks it.

rfc1918.jpg

If it was related to your vpn why would pfsense send it out your wan vs out your vpn.. Could just be a client on your network, my work laptop when the work vpn on it disconnects I see it trying to talk to work stuff on rfc1918 because yeah their are things in the work network its wanting to talk to - but the vpn is not connected.

From those vpn networks unless they have /8 for a tunnel mask, or there is something on remote network via those tunnels on 10.0 your wanting to talk to and you don't have routing setup right for what is on the other end of your vpn tunnels.

ugggh - I forgot to setup sniff for that dhcp traffic..

@SteveITS exactly.. Notice the RAs to those 3 IPs.. Its possible their was fin that closed the state but the client didn't get them for whatever reason, so it sent an RA (reset)..

@jacobrale I wouldn't worry about them too much to be honest.. Unless your log is just being flooded with them, then you might have something going on that you should look into. Those don't have anything to do with some dns related problem your having - again if your client was doing doh to google dns, it wouldn't be going to those IPs - so those for sure are not related to any sort of dns problem you might be having.

I personally don't even log default deny.. I log specific rules. And for noise coming into my wan, I only log syn blocks and common udp ports.. The rest of the noise I just have no desire to fill my logs with.

If something wasn't working and thought it might be helpful to see the default deny logs, can always click and they are now logged. But day to day its not really of interest to me to see a bunch of noise filling up my logs be it local side interfaces or the wan.

@tinfoilmatt I get your point. Whether you think my approach or the approach of doing it the way pfblocker has it is kind of semantics. People are given tools, how those tools are used is up to them. I personally like the tool that gives me more flexibility and control over what can or can't be done on my networks as I see necessary. If pfblocker is capable, I would like to know the secret.

PS. I still love and use pfblocker, so I'm not bashing on it here. I use pfblocker in the office. If I had a choice, I probably would run pi-hole there too, but it's easier to just enable pfblocker within pfsense and not have a separate server just for that.

@johnpoz At abuseipdb.com you can check it out.

@HChin_ said in Ingress Filtering question:

No rules defined. All incoming connections on this interface will be blocked until pass rules are added.”

But states are evaluated before rules. Pfsense is a stateful firewall, if you needed bidirectional rules you're talking just a packet filter from way back in the day before stateful firewalls ;) They were such a pita - hehehe, yeah dating myself haha

This gives users some issues creating block rules - if you allowed x to talk to y and x did talk to y and after you created a rule to block x from talking to y. X would still be allowed until the already existing state has been removed or timed out on its own, etc.

But a state can not be created unless a firewall rule allows the state to be created.

If it worked the way you were thinking then even if pfsense allowed something behind it to talk to say 8.8.8.8 and you have no rules on the wan, then 8.8.8.8 answer would be denied. The reason 8.8.8.8 is allowed to get back to the client behind pfsense is when you allowed the traffic with your lan rules a state was created to allow the return traffic.

Maybe looking in the state table under diagnostics will help you understand?

@bescher said in Error on firewall:

Unresolvable source alias 'pfB_PRI3_v4'

This feed contains a bunch of urls to about 4-5 feeds. If one of that feeds is unreachable it trows a error that affects the 'pfB_PRI3_v4' feed. Look what feeds are included in that 'pfB_PRI3_v4' and try to call each of the urls in a browser - so you can determine wich one is failing ... IMHO

My 2 cents,
fireodo

@Robust Have you solved the issue? Where did you find the Dropbear?

@Cowby01 said in file encryption:

I want to use pfSense along with some type of encryption to ensure that all server files are not accessible on machines outside the company network.

You can use pfSense as gate to your network. By default it lets traffic out but nothing in. You can also limit outbound direction if you desire.
But pfSense doesn't encrypt files, that are stored on any other hosts inside your network.

You can encrypt data in motion, when you want to access your servers from outside by using a VPN. This can be terminated on pfSense though.