Solved! I had missed the "allow IP" function for IPV4 traffic as well as the standalone IGMP rule. As soon as i enabled that it worked straight away!

@mvhcr its not a bad little switch for price and size.. But after playing with it couple years back I think I couldn't find a use in my network. So just threw it on the shelf and figured hey never know when a poe powered capable with vlan support switch might come in handy ;) Then awhile back I noticed in my sg300-10 logs an interface bouncing on reg basis, it was only for a couple of seconds.. And I wasn't really noticing any issues with viewing my camera feeds directly, etc. But then dawned on me - hey that nvr is prob doing something trying to get poe working because it really expects a poe camera to be on the port.. So I put the little mini between with it being powered by the nvr and all the resets on the interface went away on my sg300 and now sending 1000s of pings never lost one, before I was loosing a couple of pings every minute or 2, etc. But yeah unifi has changed some things over the last couple of years on how you do a "trunk" port.. Not really a fan of how they do switching.. Which was another reason I really didn't feel a need to incorporate that flex mini into my network. And you can't really do just specific vlans - its all or nothing. I believe on some of their higher end switches you can customize what vlans are allowed over the trunk - see that custom in my above pic - which is greyed out on the mini. I might try and leave the mini in my controller - but have to figure out how to get it to get an IP from the vlan my controller is on vs the nvr dhcp server.. Curious if I set it to static if that will survive a power cycle - then I could remove the usb power and just leave it poe powered ;)

@securvark said in Fields for IPv6 logging entries: IPv6 ICMP regular expression: ^filterlog:\s+.,(in|out),6,.,ICMPv6,.*$ RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,Protocol,ProtocolID,Length,SourceIP,DestIP,UnknownFld Sorry for replying to an old thread - but I found this useful just now when setting up my Graylog extractors. I did spot an error - pointing it out in case someone else comes across this post in the future. IPv6 ICMP should be: RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,Class,FlowLabel,HopLimit,Protocol,ProtocolID,Length,SourceIP,DestIP,UnknownFld Here is an example log entry from a ping6 through the firewall (with the IPv6 addresses obfuscated for my privacy): 197,,,1657748622,igb1,match,pass,in,6,0x00,0x50900,55,ICMPv6,58,64,ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff,eeee:eeee:eeee:eeee:eeee:eeee:eeee:eeee,

@johnpoz super! you helped my a lot.I will have a look to pfblocker and I check the alias again. Thanks for help! Stefan

@flat4 said in Why PfSense blocks sites on computers put Not on cell phones?: turn on airplane mode Which turns off all the radios : bleutooth, Wifi, Cell, NFC etc etc. Wouldn't that block everything ? @cobca said in Why PfSense blocks sites on computers put Not on cell phones?: blocks sites on computers put Not on cell phones? Easy to check. Select the SSID you connected to. You'll find your IP, the gateway (pfSense) and ..... (roll the drumes) : the DNS used. If its not pfSense, that it isn't using pfSense, so pfBlocker never 'sees' these request. And be aware : programs, like browers on computers and cell phones can use the system's DNS (the one you just saw) or use their OWN DNS settings. So : check these to ^^

@maltepk You didn't even add a rule to allow this? pfSense is a firewall!

@bars0um It’s a bad one yeah, but there was a patch via System Patches IIRC, and a few releases since then.

@youngy said in NTP: a Windows PC can't get time from pfSense. Other devices are okay.: Lesson learnt. I would prob actually validate time sync is going to where you want, either directly pointing to pfsense which is always prob the best idea vs redirect. And working, or via your redirect. I had some stupid iot devices (wifi light bulbs) that were pointing to pool address, not even in my country.. had some using uk.pool.ntp.org, which makes zero sense because they were bought in the states.. Someone messed up and didn't alter the code for regions they were going to be sold, etc.. So I just set a host override to point uk.pool.ntp.org to my ntp server. A sniff (packet capture) for ntp will give great info that clients who clients are asking, and if being redirected, etc. you should see the client query and then response.

@JustinSims Here is the bug report. https://redmine.pfsense.org/issues/15924

@kilasin said in Cannot Open Ports: i live in the woods pretty much so no other choice with Starlink They got you covered .... and use the same approach as many ISP did in the past. You want a WAN IP that you can reach from the Internet, so you can NAT addresses and ports. As IPv4 is a very expensive resource these days, your wallet will be the solution. Look here : starlink static WAN IP ? A little bit lower on the page I saw : [image: 1733740230365-dff9dab2-6cd5-4b02-8288-ebddff655cb8-image.png] So ... go "Business" would be a solution....

@Gertjan said in Unknown connection: You use a pfSense. You're good. No traffic (that you don't want to) can come into WAN, whatever the source is. So, RFC1918, or something else, you don't care. Yea, I'm in love with pfSense, are you?

@SteveITS @kiokoman Just wanted to thank you for all of your help. Everything is working as planned and I have a better understanding of how this works and how to troubleshoot. I am sure we will cross paths again and look forward to future insights.

@johnpoz Ok, thanks.

@johnpoz said in Deny outgoing traffic ipv6 for one device/phone: then not using IPv6 is a very simple solution.. Not using IPv6 is a broken "solution". IPv4 has been inadequate since the day it became necessary to use NAT to get around the address shortage. The world should get off it's butt and move to IPv6, instead of the hack on hack that IPv4 requires. As for 1 application that requires IPv6, take a look at your cell phone. IPv6 is mandatory for 4G & 5G cell networks, as they use VoIP and using IPv4 and all the horseshit it requires would create an unworkable mess. Comcast also moved to IPv6 years ago, because their network was getting too large to manage with IPv4. I would question the competence of any network professional that thinks IPv4 is good enough.

@SteveITS said in Sanity check for basic firewall rules: @gld said in Sanity check for basic firewall rules: rules for the OPTX interface (which are not associated with the firewall) Then what is it? I'm a bit confused. OPT1/2/3/etc are the default names when adding more interfaces than WAN and LAN. Which some models call PORT1WAN for example. The documentation just assumes you've added OPT1 and need to configure it. You can name it anything, like DMZ or MYLAB. "OPT1 subnets" would be any subnet assigned to the OPT1 interface. I was using, as an example, the example in the documentation you referenced. The table in the documentation has the title, "Example firewall rules for isolated LAN type segment". Yes I understand everything you say here. If you don't have a pass rule for IPV6 then that traffic is not allowed. Each interface has a default block rule. My understanding is that to allow a subnet get out on the Internet with a IPv6 address there must be an IPv6 pass rule. If the IPv6 addresses are automatically assigned then no you don't know the IPv6 subnets so using the aliases is probably better than creating your own aliases and having the IPv6 subnets change on you later. "PrivateNets" can be all RFC1918 subnets because those are known. IPv6 is much easier if you let it be automatic. Add it to WAN, set a prefix delegation request large enough (/57, /60, depends on what your ISP allows) and set the internal interface to Track Interface. Then pfSense will get an IPv6 for WAN, and assign a unique block for the internal interface. Yes. I was able to get this to work. I eventually got multiple subnets assigned IPv6 addresses. For them to get out to the Internet I had to add a IPv6 pass rule. After that the firewall rules similar to the documentation example you cited and I copied earlier failed to isolate traffic between the subnets I was trying to keep isolated. I very well might have some significant misunderstandings about IPv6. I will probably take another run at that sometime in the future. For now I'm good.

@bmeeks Thank you so much for such detailed explanation. It make sense why all my trials went in vain… I will not overload the hardware with additional software that may or may not work. For all of our web faced servers, they are behind a load balancers, and it make sense to use the load balancers to kill such traffic… Appreciate your help so much Happy thanksgiving to you, family and all pfSense users ️