Firewalling

• C

  Random loss of Internet access on XG-7100 from LAN clients
  • claferriere  

  5
  0
  Votes
  5
  Posts
  35
  Views

  C

  @jimp Will do, thanks.
• R

  TCP:R blocks with open rules
  • rml_52  

  6
  0
  Votes
  6
  Posts
  55
  Views

  R

  @KOM I believe everything is working for the apps needed traffic but the state table is filling up and nothing is closing because the reset is blocked. I created a rule to allow the traffic but it's not working because its not a routed network on the interface and I dont know how to fix that... Granted the system should be bridging and masking all traffic out eth0 as 192.168.5.2 and not 172.17.0.2 so I am in other forums trying to fix that but also dont want issues from reset blocks and state table. And if they cant fix it on the server then i want the firewall to allow it
• R

  Forwarded ports can't be accessed when using other ISP
  • rjabellax5  

  8
  0
  Votes
  8
  Posts
  74
  Views

  R

  Solved my own problem by disabling the rule associated by my limiter. Thanks Mr Derelict for the time.
• N

  Allow specific access from DMZ to Internal Server
  • nfld_republic  

  9
  0
  Votes
  9
  Posts
  56
  Views

  

  So it was the source port after all. Glad to here you got it working.
• L

  How to avoid asymmetric routing between subnets / VLANS!?
  • louis2  

  3
  0
  Votes
  3
  Posts
  87
  Views

  

  Yeah, I don't see asymmetry there. @louis2 said in How to avoid asymmetric routing between subnets / VLANS!?: The Firewall logging is indicating TCP:S That means the traffic is not being passed on the interface you are seeing those logged on. Check your rule set. In asymmetric situations you might see blocks for other flags like TCP:SA, TCP:FA because the firewall is seeing traffic for part of the TCP connection and it hasn't seen the TCP:S[YN] first because the TCP traffic is going through different interfaces, aka asymmetrically.
• 

  blocked vpn connectivity
  • High_Voltage  

  10
  0
  Votes
  10
  Posts
  72
  Views

  

  Here or General Questions.
• N

  Unable to block wyzecam
  • normaluser99  

  5
  0
  Votes
  5
  Posts
  34
  Views

  A

  Forgot to ask... do you want/need to monitor them from "outside" your LAN network? Jeff
• N

  Protect Systems behind pfsense for SACK Panic - CVE-2019-11477?!
  • neti  

  14
  0
  Votes
  14
  Posts
  686
  Views

  

  @neti said in Protect Systems behind pfsense for SACK Panic - CVE-2019-11477?!: My Question is how can i protect Servers behind the pfsense? Can i use synproxy to protect the Servers? Can i use pf scrubbing? I cannot find any filter option for min or max mss. pf doesn't have an option to check the MSS explicitly. There is a scrub option to enforce a maximum MSS, but that's it. The scrub function doesn't check for a minimum MSS as far as I can see. I'm not sure if synproxy would help you, it may introduce some other problems as well. Worth a try if you have an exploit test you can run against a vulnerable system.
• 

  pfsense blocking discord app connectivity
  • High_Voltage  

  1
  0
  Votes
  1
  Posts
  18
  Views

  No one has replied

• G

  Cannot resolve any sites at https://go.microsoft.com/fwlink/?LinkId=
  • Gr8Britton  

  19
  0
  Votes
  19
  Posts
  92
  Views

  

  @Gr8Britton said in Cannot resolve any sites at https://go.microsoft.com/fwlink/?LinkId=: @bmeeks Ah, I see that now. There is a tab titled WAN Rules. Well, I probably can't figure out what it was, but it should be good now. Thanks! You can see exactly which Snort rule blocked by going to the ALERTS tab, choosing the WAN interface in the drop-down at the top, and then looking through the list of alerts to find one containing the IP address that was blocked. In your case that was 23.65.34.215. Find that alert in the DST column. If I recall correctly, you can click the DST column header to sort by the data. On the row for that alert it will show you the rule GID (Generator ID) and SID (Signature ID). The GID is usually "1" for most text rules. The SID, as I said earlier, is unique to a specific rule. In the right hand column you can find a summary of the rule's message. From that you can usually guess which category the rule is in, but the SID will uniquely identify the rule. P.S. -- the above assumes your network traffic is not so high as to cause the alerts log to rollover. In that case, that alert may have rolled into an archived log and no longer be visible using the GUI tools.
• M

  Alias Host Name for Firewall Rule
  • mikela  

  7
  0
  Votes
  7
  Posts
  21
  Views

  M

  Looks like that alias was corrupt for some reason. I re-created it and made sure it looked proper in the tables and now i'm good to go. Thanks so much for all your help.
• L

  This topic is deleted!
  • lunadean  

  1
  0
  Votes
  1
  Posts
  8
  Views

  No one has replied

• H

  unable to update any feeds in PFBlockerNG
  • hwextreme  

  3
  0
  Votes
  3
  Posts
  48
  Views

  H

  ok, this is now fixed in case anyone else has this issue this is where I started to realise what was wrong.. [2.4.4-RELEASE][admin@pfSense2.localdomain]/root: pkg update -f Updating pfSense-core repository catalogue... pkg: Repository pfSense-core load error: access repo file(/root/var/db/pkg/repo-pfSense-core.sqlite) failed: No such file or directory pkg: https://pkg.pfsense.org/pfSense_v2_4_4_amd64-core/meta.txz: No route to host repository pfSense-core has no meta file, using default settings pkg: https://pkg.pfsense.org/pfSense_v2_4_4_amd64-core/packagesite.txz: No route to host Unable to update repository pfSense-core Updating pfSense repository catalogue... pkg: Repository pfSense load error: access repo file(/root/var/db/pkg/repo-pfSense.sqlite) failed: No such file or directory pkg: https://pkg.pfsense.org/pfSense_v2_4_4_amd64-pfSense_v2_4_4/meta.txz: No route to host repository pfSense has no meta file, using default settings pkg: https://pkg.pfsense.org/pfSense_v2_4_4_amd64-pfSense_v2_4_4/packagesite.txz: No route to host Unable to update repository pfSense Error updating repositories! checked route out f the firewall - not looking good [2.4.4-RELEASE][admin@pfSense2.localdomain]/root: host -t srv _https._tcp.pkg.pfsense.org _https._tcp.pkg.pfsense.org has SRV record 10 10 443 files01.netgate.com. _https._tcp.pkg.pfsense.org has SRV record 10 10 443 files00.netgate.com. [2.4.4-RELEASE][admin@pfSense2.localdomain]/root: route -n get default route: route has not been found checked the default gateway which was set to the WAN_PPPoE gateway, changed this to the VPN gateway and I the firewall can now route traffic and can see the lists and packages
• U

  rule to pass alias list not working
  • unchew  

  6
  0
  Votes
  6
  Posts
  33
  Views

  U

  @Derelict I know I just didn't want to affect a client that we have constant vpn connections to 5 sites. I know a update shouldn't affect that but seems like any time I make a change something happens which has given me a type of superstition lol. They will be off service as of July 1st that was my plan to update Pfsense then. I am a huge PFsense fan boy and have been super impressed with it though thanks for taking the time to respond to me as well really appreciate it and answered my suspicions.
• H

  Updated from 244pl1 tp 244pl3 now super slow FTP
  • HansSolo  

  15
  0
  Votes
  15
  Posts
  188
  Views

  K

  @JKnott said in Updated from 244pl1 tp 244pl3 now super slow FTP: @Kartoff said in Updated from 244pl1 tp 244pl3 now super slow FTP: Most of the times I use it within my LAN, so only me and couple of my friends who I gave connectivity can get into it... Anyone with Wireshark and access to your connection will be able to read your ID and password. Use SFTP. Usually I don't put login credentials... So nobody can see username and password, they are simply aren't there :) When it is shared on the FTP it meant to be seen ;) If I do not want anybody to have access to particular data I just don't put it in the directory where FTP server has access !
• J

  Firewall States all showing same value
  • JohnSmith127  

  1
  0
  Votes
  1
  Posts
  17
  Views

  No one has replied

• C

  Suricata block
  • calitzin  

  3
  0
  Votes
  3
  Posts
  50
  Views

  

  Yes, Suricata can drop packets within a session using its Inline IPS Mode. However, this mode uses the netmap OS driver and that requires your network interface card (NIC) be one of the supported driver families. Inline IPS Mode does not block a host IP address in the same way the Legacy Blocking mode does. Instead, it uses a netmap pipe between the NIC driver and the kernel OS stack and selectively drops packets that match Suricata rules. There is a new Snort package available for pfSense-2.5-DEVEL that also implements the same Inline IPS Mode of operation (and with the same netmap driver limitations). The new Snort package allows you to leverage OpenAppID to detect Layer 7 applications and drop those packets. Details on both packages can be found in the IDS/IPS sub-forum here: https://forum.netgate.com/category/53/ids-ips.
• S

  allow usage of :broadcast in UI
  • skullnobrains  

  5
  0
  Votes
  5
  Posts
  39
  Views

  S

  i stand corrected regarding the behavior of pfsense which actually does not forward packets with the broadcast address as a destination. ( axcept afaik in some weird cases with policy routing. pf does ). but it does forward some crafted packets using a different network's broadcast as the source or destination. ( which unfortunately would not be handled by :broadcast since pfsense has no way to determine the address is indeed a broadcast so no-go anyway ). i'm not seeing anything. i just want to prevent such attacks while keeping my ruleset as simple as possible. thanks. there is indeed quite a range of attacks using broadcast addresses for the source of packets and 0.0.0.0 as well. regarding multicast, i have those as well. a way to match them as a whole would be very convenient to prevent them from being logged. but that can be performed with a small number of rules. since what i am trying to achieve here is indeed the default behavior, i'm sorry for using up your precious time. thanks again.
• S

  TAP tunnel routing failing
  • SCG  

  2
  0
  Votes
  2
  Posts
  28
  Views

  

  Your Config is wrong, check https://docs.netgate.com/pfsense/en/latest/book/openvpn/bridged-openvpn-connections.html and follow the steps. -Rico
• A

  NAT/Firewall , restricting source IP ranges
  • automate  

  7
  0
  Votes
  7
  Posts
  57
  Views

  A

  Thanks. Ill keep that in mind for next time. It would be nice to have multiple alias inside the rule, rather than nested alias In any case, ill leave it how it is - as its easy to read for troubleshooting :) Thank you
• C

  Snort blocking by behavior
  • calitzin  

  2
  0
  Votes
  2
  Posts
  45
  Views

  N

  When 2.5 is out of development. https://forum.netgate.com/topic/143624/snort-package-potential-new-feature-teaser/11 https://forum.netgate.com/topic/143812/snort-package-4-0-inline-ips-mode-introduction-and-configuration-instructions
• T

  Unable to RDP (PFSense)
  • Thato P  

  18
  0
  Votes
  18
  Posts
  142
  Views

  

  @Abdrouf4995 said in Unable to RDP (PFSense): this is because in most cases the don't have any knowledge about networking. That's never stopped a manager from giving his opinions before I have personally argued several times with someone who never learns that intra-LAN traffic doesn't hit the firewall. He doesn't know what a gateway is for, and yet he argues with me as if he had a clue. He is the poster boy for Dunning-Kruger Effect: "Incompetent people, the researchers found, are not only poor performers, they are also unable to accurately assess and recognize the quality of their own work. These low performers were also unable to recognize the skill and competence levels of other people, which is part of the reason why they consistently view themselves as better, more capable, and more knowledgeable than others."
• F

  Rule details not showing in Firewall Log
  • fsr  

  8
  0
  Votes
  8
  Posts
  93
  Views

  F

  In case anyone has the same issue, i circunvented it by setting [Manage Firewall Log] -> [Where to show rule descriptions] to "Display as column". There, the rule descriptions do show correctly, as can be seen in the following screen capture: The column with the "person icon" is the rule description column. I clicked in the green check mark to confirm that the rule didn't show the description in the popup. regards
• P

  Filtering to allow only selected devices
  • pateretou  

  2
  0
  Votes
  2
  Posts
  38
  Views

  

  You understand that mac address are only at L2 right.. There is no way you could filter on a devices mac address from the internet.. The only mac address pfsense would see from the internet is the routers interface in front of it, ie the isp device. The way do what you ask is vpn.. I have never experience any heavy battery load from running vpn...
• T

  Traffic is blocked despite adding an exception
  • tomaszf  

  4
  0
  Votes
  4
  Posts
  189
  Views

  

  @tomaszf said in Traffic is blocked despite adding an exception: Floating rules is solution :) No prob not!! Did you read the article linked article.. That screams asymmetrical traffic... Looks like 192.168.226.2 started a conversation to 10.10.2.2 (http) and 10.10.2.2 answered (syn,ack) via sending to pfsense, but pfsense never saw the syn from 192.168 to open the state.. The correct fix is to fix your asymmetrical issue, not allow non stateful traffic through. If you draw up your network we can help you figure out why asymmetrical
• J

  At times WiFi calling and sending SMS doesn't work?
  • JohnnyBeGood  

  49
  0
  Votes
  49
  Posts
  354
  Views

  J

  @johnpoz said in At times WiFi calling and sending SMS doesn't work?: so you can see answers there but not when doesnt work... So now sniff on the WAN it doesn't work... Do you see answers? Do you see it sending to that 141.207.229.233 IP? Below is capture of WAN port when it does not work. I let it sit for some time and on the phone it just shows calling but nothing is happening. packetcapture (7).cap Here's the capture of about 5+ minutes later when it works. packetcapture (8).cap To me both captures look similar?
• B

  Opt no internet access
  • bihzs  

  10
  0
  Votes
  10
  Posts
  79
  Views

  B

  Hello, Thanks for your help, I have removed them == RFC 1918 == after uploaded this image. Overall I had found solution on my issue. Under my interfaces -> Opt1 configuration. I has changed under Static IPv4 Configuration ip xx.xxx.x.x / 32 to 24. Then it works perfect.
• O

  Cannot seem to add a single source NAT rule
  • orangehand  

  6
  0
  Votes
  6
  Posts
  84
  Views

  O

  Sorted thanks; must just have been an odd glitch
• A

  too many blocked igmp traffic log entries
  • arian_0098  

  5
  0
  Votes
  5
  Posts
  86
  Views

  A

  @NogBadTheBad Big Thanks ... In past, when I was creating igb0 interface, internet was also disconnecting ... but now, I don't have any idea how it became correct.
• 

  Problem routing back traffic not coming through the default gateway
  • skilledinept  

  2
  0
  Votes
  2
  Posts
  53
  Views

  

  I just tried another method, the "layer 2 approach" as I'm naming the artboards in my I-didn't-have-the-patience-for-Visio app: I figured: if I cut the middle man it should work without issues. It didn't turn out as planned: The capture above is taken from the internal (tunnel) interface of the remote firewall. It's still blocked. Now I'm really confused as to what's going on. The only thing I can think of is adding it as a second gateway in the DHCP server but I'm not holding my breath...and won't work for devices not using DHCP. :( The remote firewall's public IP address is in a subnet (i.e; a single address of a /23) contrary to the local which is a /32 PPPoE address, I'm thinking about some sort of static routes hack to that but then how would it be reached to bring up the tunnel in the first place. I need to finish my TCP/IP-something-something-drawings book ASAP. At this rate I'm going to end up becoming a graphic designer with a broken network.
• 

  Reply-to exceptions question
  • skilledinept  

  3
  0
  Votes
  3
  Posts
  46
  Views

  

  @Derelict Thanks! I will set a lab to try that out, I had no idea about that location. I don't have such a rule right now, I was just curious. I did come across some routing problems in the last few days, that's what it took me so long to come back. Thanks!
• L

  Problem with rules (logging)
  • lesnikov  

  2
  0
  Votes
  2
  Posts
  59
  Views

  F

  I don't fully understand what you wrote, but if you want to get rid of the logs, just edit the rule, and uncheck the option to generate logs.
• A

  Block All P2P and Torrent on VMWare ESXi 6.7 ????
  • AHMN48  

  11
  0
  Votes
  11
  Posts
  134
  Views

  A

  Hi Everyone again, I installed successfully pfSense on VMWare, now help me to block all torrents port and other P2P for all my VMs, thanks a lot
• P

  https en http toegang dns
  • pfsense2017  

  25
  0
  Votes
  25
  Posts
  92
  Views

  

  @pfsense2017 said in https en http toegang dns: the other 3 dns servers are not functional Why would you need to use them ? What about removing them ? Btw : pfSense, by default, resolves just fine. If you didn't change anything, it would work.
• T

  multi lan and alieses
  • the_2PC  

  1
  0
  Votes
  1
  Posts
  31
  Views

  No one has replied

• J

  How to instantly disconnect states when time limit is reached?
  • jeremym  

  13
  0
  Votes
  13
  Posts
  321
  Views

  

  There was some work done with matching NAT states. Best thing to do is upgrade to 2.4.4-p3 and see if it fixes your specific problem.
• N

  Wireless Webcam Access to Wired NAS
  • newUser2pfSense  

  14
  0
  Votes
  14
  Posts
  1787
  Views

  R

  the web camera can only be used from a single device regardless of the ip. I do not understand very well the question
• B

  XG-7100 rule failing to match traffic on LAN ingress
  • bmcbeen  

  2
  0
  Votes
  2
  Posts
  27
  Views

  

  48,,,1558475967,lagg0.4091,match,block,in,4,0x0,,128,17847,0,DF,6,tcp,164,10.8.2.120,172.28.0.10,60354,445,124,PA,4089409933:4089410057,342856039,254,, 1558475967 is the Block all-Lan rule in the above screen shot. TCP:PA Your pass rule will pass TCP:S(YN) and associated in-state traffic. Your block rule will block out-of-state, asymmetric, etc traffic. https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-for-legitimate-connection-packets.html#troubleshooting-blocked-log-entries-for-legitimate-connection-packets
• A

  Seems like traffic not going through firewall
  • astph  

  9
  0
  Votes
  9
  Posts
  105
  Views

  A

  I'm currently trying out pfblockerng now, just want ask for assistance, where or how can I block a certain website in pfblockerng? Example: Facebook or lets say social media sites in general? Thanks! ast
• D

  Understanding Firewall Configuration
  firewall rules interfaces • • derian00  

  1
  0
  Votes
  1
  Posts
  75
  Views

  No one has replied