• 0 Votes
    9 Posts
    63 Views
    P

    @johnpoz
    Who said I am applying the rule on lan?
    I'm aware interface rules are ingress only, sure.

    Here's screenshot from netgate recommendation illustrating the floating rule on WAN
    1000119912.png

    Now, with that rule, as the doc says, you need an allow rule before it. The thing is that the allow rule must apply to all interfaces the filtered packet travels through and not only Wan
    I suppose it is a strict security that the stateful inspection needs to track the packet through all its lifespan

  • 0 Votes
    1 Posts
    16 Views
    No one has replied
  • IGMP ...need understanding...?

    3
    0 Votes
    3 Posts
    47 Views
    S

    @njaimo FWIW this was a common point of confusion when they added it to Plus a while back.

    https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html#packets-with-ip-options

    As I understood it, the change was adding the log entry for the block. For our clients we added a rule at the bottom of the ruleset to block IGMP, set to not log, to avoid the noise.

    Enabling IP Options is needed if the traffic should be passed.

  • Redirect DNS queries to PiHole in Docker

    2
    0 Votes
    2 Posts
    38 Views
    AndyRHA

    This is how I force all rouge DNS to PiHole.

    https://forum.netgate.com/topic/156453/pfsense-dns-redirect-to-local-dns-server?_=1671847956280

  • Blocking URL's in Pfsense firewall for specifi range of IP

    Moved
    13
    0 Votes
    13 Posts
    839 Views
    stephenw10S

    I'm not sure what it would be for that off-hand. But you should be able to enter config for anything that the resolver (Unbound) can do so:
    https://man.freebsd.org/cgi/man.cgi?query=unbound.conf

    A lot!

  • 0 Votes
    5 Posts
    68 Views
    JKnottJ

    @JonathanLee said in To Default Reject Or Block That is the Question.:

    I wanted to share this with you incase you ever asked the question what the difference its between block or reject...

    A block just drops the packet, without any other response. A reject sends an ICMP message back advising why. You want to use block on the WAN, so that the attacker has no confirmation there's something there. Use reject on the LAN, so that an issue can be identified.

  • Alias error

    23
    0 Votes
    23 Posts
    1k Views
    A

    I have two more systems where pfsense is used. On all three systems everything worked without problems. After updating to the latest version, two systems work without errors and only one has a problem.
    I compared the list and sizes of files on the pfsense website.
    I found no differences. Perhaps there are other places where I could not look and check. Now I am trying to figure out the problem. It would be interesting to hear from the developer where to look. After all, it turns out that the IP address verification and conversion template does not work. I think that this is the same function that works when entering a new list and when displaying an existing one.
    Tell me in which PHP file is this described?

  • PfSense keeps Port 21 open??

    20
    0 Votes
    20 Posts
    4k Views
    JonathanLeeJ

    Screenshot 2025-07-07 at 18.35.31.png

    You know what it was I had it set to reject and not block HAHA I can't believe I didn't see that before, that is a Homer Simpson moment.

    Screenshot 2025-07-07 at 18.38.12.png

  • 0 Votes
    2 Posts
    37 Views
    F

    This issue has since resolved itself though the root cause is unknown and there have been numerous changes made to the firewall between when it was last observed to not work vs. now when it is working.

  • 0 Votes
    21 Posts
    476 Views
    johnpozJ

    @rasputinthegreatest normally hosting stuff on big cdn networks is not cheap - and would assume they do some vetting of what is being hosted/served. Not saying stuff can not be compromised - but seems unlikely some malware people would choose to host their crap there to be honest. While that cdn is not a global player to the likes of aws/azure or clouldflare, etc. They are not a ma and pop vps hoster ;)

    Glad you got it figured out - and this thread might be very helpful for the next guy.

  • Cisco VTP and PFSense ACL

    1
    0 Votes
    1 Posts
    40 Views
    No one has replied
  • Inter VLAN Access

    6
    0 Votes
    6 Posts
    217 Views
    O

    @Gertjan

    I figured it out. It was my old IPSEC tunnel. It was capturing the traffic, so the rules never really impacted the traffic. Once I removed the IPSEC tunnel, the rules started working, as mentioned.

  • Direction in firewall states: CLOSED:SYN_SENT

    1
    0 Votes
    1 Posts
    71 Views
    No one has replied
  • 0 Votes
    7 Posts
    231 Views
    E

    @viragomann Yes, actually, I made Allow any to any rules for all interface including bridge interfaces for testing. I wanted to see traffics going right direction and compare what I expected.
    However, after I provides IP address to bridge, I'm getting less information from firewall.

    From the firewall state, (PC-B to PC-A)
    [Any 10.10.40.4 -> 10.10.30.3 SYN_SENT:ESTABLISH]
    BRG2 10.10.40.4 -> 10.10.30.3 SYN_SENT:ESTABLISH
    BRG1 10.10.40.4 -> 10.10.30.3 SYN_SENT:ESTABLISH

    However, I found two solutions.

    Creating rules in floating tab with enabling quick Make BRG1, BRG2 as a one interface group and creating rule.

    I have no idea why those can be the solutions but seems like there's something related rule priority.

    Thank you for taking care of my issue.

  • pfsense seems to be blocking out access to a banking site

    8
    0 Votes
    8 Posts
    196 Views
    C

    @johnpoz

    Many thanks for the help, advise and comments noted.

    Thanks again.

    CC

  • Configuration while on running pfSense

    2
    0 Votes
    2 Posts
    100 Views
    L

    @chris-doldolia Hello! You can safely make configuration changes on a running pfSense firewall, it's designed for that. Most settings apply immediately without needing a reboot, though some services (like IPsec, OpenVPN, or interface changes) may briefly interrupt traffic when restarted. Just make sure you have console or alternate access in case something goes wrong.

  • netcts.cdn-apple.com

    4
    0 Votes
    4 Posts
    173 Views
    JonathanLeeJ

    @johnpoz I am glad you also noticed it, I see it a lot on my proxy I decided to block it and see what breaks but nothing changed so far. I also have the DNS manually set on the iMac, so it should not attempt to use DoH

  • Broken website..?

    4
    0 Votes
    4 Posts
    158 Views
    E

    @Gertjan @JonathanLee ,

    I appreciate your comments and your time for this.

    I found that our ISP modem keeps sending login page when it thinks connection state is not made properly. (From development tool, I was able to see '302 Found - too many redirects')

    The issue of this was NAT, because when my IP NATing to interface IP, source port kept changing as well.

    I have created NAT rule with static port enabling, and it resolved my issue.

    Thank you very much.

  • multicast 224.0.0.22 incorrectly flagged by !RFC1918 alias

    4
    0 Votes
    4 Posts
    160 Views
    keyserK

    @CatSpecial202 The traffic is not being blocked because it is considered part of the RFC1918 space. Your rule is not a block rule, but rather a PASS rule (!RFC1918).
    The traffic is blocked by your rule though - but thats because the IGMP multicast packets that was intended to be passed by the rule has IP options enabled that the default IP options filtering in the rule denies. Hence it blocks the traffic. Seach for IGMP filtering blocks traffic on this forum to understand the problem and configure your rule accordingly.

    Fx: this thread https://forum.netgate.com/topic/187896/how-to-stop-logging-blocked-lan-igmp

  • Sevire issues related to IGMP multicast traffic

    1
    0 Votes
    1 Posts
    87 Views
    No one has replied
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.