@johnpoz
Who said I am applying the rule on lan?
I'm aware interface rules are ingress only, sure.

Here's screenshot from netgate recommendation illustrating the floating rule on WAN
1000119912.png

Now, with that rule, as the doc says, you need an allow rule before it. The thing is that the allow rule must apply to all interfaces the filtered packet travels through and not only Wan
I suppose it is a strict security that the stateful inspection needs to track the packet through all its lifespan

@njaimo FWIW this was a common point of confusion when they added it to Plus a while back.

https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html#packets-with-ip-options

As I understood it, the change was adding the log entry for the block. For our clients we added a rule at the bottom of the ruleset to block IGMP, set to not log, to avoid the noise.

Enabling IP Options is needed if the traffic should be passed.

This is how I force all rouge DNS to PiHole.

https://forum.netgate.com/topic/156453/pfsense-dns-redirect-to-local-dns-server?_=1671847956280

I'm not sure what it would be for that off-hand. But you should be able to enter config for anything that the resolver (Unbound) can do so:
https://man.freebsd.org/cgi/man.cgi?query=unbound.conf

A lot!

@JonathanLee said in To Default Reject Or Block That is the Question.:

I wanted to share this with you incase you ever asked the question what the difference its between block or reject...

A block just drops the packet, without any other response. A reject sends an ICMP message back advising why. You want to use block on the WAN, so that the attacker has no confirmation there's something there. Use reject on the LAN, so that an issue can be identified.

I have two more systems where pfsense is used. On all three systems everything worked without problems. After updating to the latest version, two systems work without errors and only one has a problem.
I compared the list and sizes of files on the pfsense website.
I found no differences. Perhaps there are other places where I could not look and check. Now I am trying to figure out the problem. It would be interesting to hear from the developer where to look. After all, it turns out that the IP address verification and conversion template does not work. I think that this is the same function that works when entering a new list and when displaying an existing one.
Tell me in which PHP file is this described?

Screenshot 2025-07-07 at 18.35.31.png

You know what it was I had it set to reject and not block HAHA I can't believe I didn't see that before, that is a Homer Simpson moment.

Screenshot 2025-07-07 at 18.38.12.png

This issue has since resolved itself though the root cause is unknown and there have been numerous changes made to the firewall between when it was last observed to not work vs. now when it is working.

@rasputinthegreatest normally hosting stuff on big cdn networks is not cheap - and would assume they do some vetting of what is being hosted/served. Not saying stuff can not be compromised - but seems unlikely some malware people would choose to host their crap there to be honest. While that cdn is not a global player to the likes of aws/azure or clouldflare, etc. They are not a ma and pop vps hoster ;)

Glad you got it figured out - and this thread might be very helpful for the next guy.

@Gertjan

I figured it out. It was my old IPSEC tunnel. It was capturing the traffic, so the rules never really impacted the traffic. Once I removed the IPSEC tunnel, the rules started working, as mentioned.

@viragomann Yes, actually, I made Allow any to any rules for all interface including bridge interfaces for testing. I wanted to see traffics going right direction and compare what I expected.
However, after I provides IP address to bridge, I'm getting less information from firewall.

From the firewall state, (PC-B to PC-A)
[Any 10.10.40.4 -> 10.10.30.3 SYN_SENT:ESTABLISH]
BRG2 10.10.40.4 -> 10.10.30.3 SYN_SENT:ESTABLISH
BRG1 10.10.40.4 -> 10.10.30.3 SYN_SENT:ESTABLISH

However, I found two solutions.

Creating rules in floating tab with enabling quick Make BRG1, BRG2 as a one interface group and creating rule.

I have no idea why those can be the solutions but seems like there's something related rule priority.

Thank you for taking care of my issue.

@johnpoz

Many thanks for the help, advise and comments noted.

Thanks again.

CC

@chris-doldolia Hello! You can safely make configuration changes on a running pfSense firewall, it's designed for that. Most settings apply immediately without needing a reboot, though some services (like IPsec, OpenVPN, or interface changes) may briefly interrupt traffic when restarted. Just make sure you have console or alternate access in case something goes wrong.

@johnpoz I am glad you also noticed it, I see it a lot on my proxy I decided to block it and see what breaks but nothing changed so far. I also have the DNS manually set on the iMac, so it should not attempt to use DoH

@Gertjan @JonathanLee ,

I appreciate your comments and your time for this.

I found that our ISP modem keeps sending login page when it thinks connection state is not made properly. (From development tool, I was able to see '302 Found - too many redirects')

The issue of this was NAT, because when my IP NATing to interface IP, source port kept changing as well.

I have created NAT rule with static port enabling, and it resolved my issue.

Thank you very much.

@CatSpecial202 The traffic is not being blocked because it is considered part of the RFC1918 space. Your rule is not a block rule, but rather a PASS rule (!RFC1918).
The traffic is blocked by your rule though - but thats because the IGMP multicast packets that was intended to be passed by the rule has IP options enabled that the default IP options filtering in the rule denies. Hence it blocks the traffic. Seach for IGMP filtering blocks traffic on this forum to understand the problem and configure your rule accordingly.

Fx: this thread https://forum.netgate.com/topic/187896/how-to-stop-logging-blocked-lan-igmp