@viragomann I figured it out I just had to restart my nas.

@Jabiru said in Why is the firewall filter sooo slow to access?: Has anyone else experienced this? As mentioned how big are your logs, how many entries do you display? I have my logs to show the last 5000 entries, so its not instant - but it doesn't take minutes. Do you have compression setup? So I just clicked into firewall logs - and doing the exact timing method of counting 1001,1002,etc.. in my head it was about 10 seconds to display.. And you will notice I display last 5000 records [image: 1761794633218-lopgs.jpg] Speed will for sure vary depending what your running pfsense on, number of logs, etc. etc.. I think you can have a problem if you have tiny log files, and you compress them - and then want to display a lot of records were pfsense has to open up logs that have been rotated and compressed.. If I recall there was some issue brought up with that quite some time ago about log compression. If you look on the setting it is recommended not to use compression if you are using zfs file system - which has been around for good long time. My log files are not as big as @Gertjan at 2MB, but mine are set to 1MB. I should prob increase mine, looks like I only go back couple of days with my current rotation -rw------- 1 root wheel 239079 Oct 29 22:30 filter.log -rw------- 1 root wheel 1030487 Oct 29 21:54 filter.log.0 -rw------- 1 root wheel 1024324 Oct 29 15:45 filter.log.1 -rw------- 1 root wheel 1023497 Oct 29 06:58 filter.log.2 -rw------- 1 root wheel 1023468 Oct 28 23:09 filter.log.3 -rw------- 1 root wheel 1025519 Oct 28 18:20 filter.log.4 -rw------- 1 root wheel 1023953 Oct 28 12:26 filter.log.5 edit: just bumped to 2MB and 8 logs vs the 6 I had.

hey there, a look in your documentation gives an answer: https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/firewall-rules.html See far down > Tip! :) In short: rules under the general OpenVPN Tab are for all your (in case you have more than one) openVPN servers on pfsense. So you can set seperate rules for those... here I have (under firewall > rules tab): no rules at all for general openVPN but rules set for my openVPN server "number1" (just an example).

UP, is there any way for this to resume?

@johnpoz And thank you for pointing out that the outbound blocking rules don't do what I thought they did! :-)

@Uglybrian, Thank you, I will give that a try. Stuart

For other people's future reference. I had to switch to Ruckus Router Code and upgrade to their L3 Premium license to use the Policy-Based Routing feature. Once this feature was enabled, the policy-based routing was very simple. Similar to Cisco policy-based routing. However, it seems, as far as I can tell, due to the state-based nature of the Netgate, the policy-based routes I was trying to set up just did not work. Unfortunately, no one on this forum was able to provide a workaround using the pfsense platform.

@tross9 yes. There should be a tooltip if you hover over the X.

Thank you all for helping me. In the end I've managed to make it work. As you said, following rule(s) were necessary to access devices on OPT1 and OPT2 respectively. [image: 1760577607694-4278df83-2799-41fa-a032-8ae0b9205d44-image.png] There are some things that I learned along the way: When spoofing MAC address, don't spoof it on the interface you are accessing the web GUI from. Don't spoof WAN MAC address when connected to internet. Do it with WAN port disconnected. Also, clear DHCP leases on your upstream modem/router. When you already have an enabled interface, but then want to spoof MAC address, delete the interface first and then recreate it with spoofed MAC address. Reenabling doesn't work properly. Sometimes the device you're trying to access doesn't allow access from different subnet. This is the case with my OpenWRT router, but home server works flawlessly.

Yes I reproduced here and asked our devs about it who confirmed the likely cause. Work is in progress.

It worked! I needed to add the NxFilter IP in Captive Portal > Allowed IP Addresses... however, for blocked sites, for example in the Porn category, the NxFilter blocking page is not displayed, it just keeps rotating the browser without accessing the site. I will continue looking for a solution for this. [image: 1760523860187-1dbf1da9-2786-446f-8ac2-30b77b06b1a3-image.png]

Just to prove to myself that I'm not a complete idiot, I have set up a VPS and installed eturnal there. It functions perfectly fine there. (It is not behind a pfsense but I have enabled ufw. To be fair, the setup in my home lab is much more complex than that of the VPS. But bottom line: I can set up eturnal to work. So it would seem to be my inability to configure pfsense.)

I just wanted to follow-up, and not leave you guys hanging. I realized that only Web Traffic needed to be behind the Reverse proxy (for the WebIF), whereas SIP and RTP did not. I am already using split DNS, but I setup one DNS entry for PBX.fqdn that points to my reverse proxy, and SIP.fqdn to point to my actual server. That way, my phones can be directed to the sip server, and my web browser to my proxy. Done. However, since I disabled all IPv6 traffic on my network, I was having issues connecting from outside, as was mentioned. Now, I have the PBX system moved to a $5/month cloud server. Time will tell if it has enough resources to accommodate my usage. It has a setup similar to the aforementioned.

@viragomann Thank you, I appreciate it. The aim is to allow access to my VMs from the WAN side (home network) and effectively use the pfSense device as a router with the NAT functionality enabled for the LAN side VMs to access the internet.

@turku31 so what was it? Nice to leave what you found as the problem, to possibly help the next guy out.

@martinez Thank you for your help and input! I'm aware of several ways that I could handle this, most of which involve opening a port and running a program on either the local or remote side. When faced with the issue I thought, wouldn't it be nice, if something that already exists and is well tested could be "used" in such a way that it solves the problem, without introducing more risk, which is why I asked the question here. If there is no such option using the firewall directly, then a Wireguard tunnel between pfSense and the remote system might be the best option?! Allow incoming ICMP on the Wireguard interface only, block everything else. The connection would be via dyndns entries and will only be active and the ping possible, if the DNS entry is up-to-date, so a simple ping to the pfSense's wireguard interface IP address would indicate dyndns up-to-date. Or are there better options?

@kojol Why would your traffic be asymmetrical.. That is your problem - fix the asymmetrical flow.. So I take it your client is 10.3 and he is sending his syn to this 10.2 box on port 8009 - but that did not flow through pfsense, if it did pfsense would create a state and allow the return traffic (syn,ack). You have a masking problem, you have common L2? When you create segmentation in your network, traffic should flow through pfsense in both directions. If pfsense sees some syn,ack and it never saw the syn to open the state then yeah your traffic would be blocked. If your segments are properly isolated there should be no way possible for 10.3 to talk to your other segment at 10.2 without flowing through pfsense. And same goes for the return traffic. Do have a common L2 network, and a mismatch mask.. Where your client on 10.3 thinks 10.2 is on its network and just sends the traffic there directly. But your device on 10.2 thinks 10.3 is a different network so sends its reply (sa) to pfsense..

@SteveITS yes I totally agree, I would't think that with something like this, I will have issues. Unfortunately, I still have no luck with this, I have rules in place like this: pfctl -s rules | grep 192.168.140 block drop in log on ! cxgb0 inet from 192.168.140.0/24 to any ridentifier 1000005670 block drop in log inet from 192.168.140.1 to any ridentifier 1000005670 pass in quick on cxgb0 inet proto udp from any port = bootpc to 192.168.140.1 port = bootps keep state (if-bound) label "allow access to DHCP server" ridentifier 1000005692 pass out quick on cxgb0 inet proto udp from 192.168.140.1 port = bootps to any port = bootpc keep state (if-bound) label "allow access to DHCP server" ridentifier 1000005693 **pass in quick on cxgb0 inet from 192.168.140.0/24 to any no state label "USER_RULE: Test rule for the chelsio card" label "id:1760030697" ridentifier 1760030697** Then there is the rule on the other interface: pfctl -s rules | grep 192.168.120 pass in quick on ix1 inet proto udp from any port = bootpc to 192.168.120.1 port = bootps keep state (if-bound) label "allow access to DHCP server" ridentifier 1000002542 pass out quick on ix1 inet proto udp from 192.168.120.1 port = bootps to any port = bootpc keep state (if-bound) label "allow access to DHCP server" ridentifier 1000002543 pass in quick on ix1 inet from 192.168.120.0/24 to any no state label "USER_RULE: Test rule for the Chelsio card" label "id:1760030595" ridentifier 1760030595 If I disable the firewall globally, there is traffic like so: Connecting to host 192.168.140.10, port 5201 [ 5] local 192.168.120.116 port 58272 connected to 192.168.140.10 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 114 MBytes 953 Mbits/sec 0 424 KBytes [ 5] 1.00-2.00 sec 112 MBytes 944 Mbits/sec 0 597 KBytes [ 5] 2.00-3.00 sec 111 MBytes 927 Mbits/sec 0 626 KBytes [ 5] 3.00-4.00 sec 112 MBytes 938 Mbits/sec 0 658 KBytes [ 5] 4.00-5.00 sec 111 MBytes 933 Mbits/sec 0 765 KBytes [ 5] 5.00-6.00 sec 111 MBytes 933 Mbits/sec 0 803 KBytes [ 5] 6.00-7.00 sec 111 MBytes 933 Mbits/sec 0 841 KBytes [ 5] 7.00-8.00 sec 112 MBytes 944 Mbits/sec 0 841 KBytes [ 5] 8.00-9.00 sec 111 MBytes 933 Mbits/sec 0 841 KBytes [ 5] 9.00-10.00 sec 111 MBytes 933 Mbits/sec 0 881 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 1.09 GBytes 937 Mbits/sec 0 sender [ 5] 0.00-10.00 sec 1.09 GBytes 934 Mbits/sec receiver iperf Done. If I enable the firewall, there is this: Connecting to host 192.168.140.10, port 5201 [ 5] local 192.168.120.116 port 47334 connected to 192.168.140.10 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 419 KBytes 3.43 Mbits/sec 2 1.41 KBytes [ 5] 1.00-2.00 sec 0.00 Bytes 0.00 bits/sec 1 1.41 KBytes [ 5] 2.00-3.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes [ 5] 3.00-4.00 sec 0.00 Bytes 0.00 bits/sec 1 1.41 KBytes [ 5] 4.00-5.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes [ 5] 5.00-6.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes [ 5] 6.00-7.00 sec 0.00 Bytes 0.00 bits/sec 1 1.41 KBytes [ 5] 7.00-8.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes [ 5] 8.00-9.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes [ 5] 9.00-10.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 419 KBytes 343 Kbits/sec 5 sender [ 5] 0.00-10.00 sec 65.0 KBytes 53.3 Kbits/sec receiver iperf Done. I don't know what is going on and what is stopping the traffic, even though it is allowed. I also updated the system to 2.8.1 this morning, but this did not make any change. Ideas guys?

I can verify that a (public) wildcard cert does not work, the specific hostname must be present in the certificate. I think this is not really well documented, because i struggled with debugging this a few yahren ago myself.