Just keep in mind that if a network connects 2 or more routers together.. You don't put hosts on that network or any traffic to and from that host will be asymmetrical.. Unless you specifically tell the host which router to use to get to which network.. Or you nat so that the host on the transit only ever sees IPs from its own network.

@SpicySpice said in Firewall (pass) rule being ignored and traffic still being blocked: TCP:FA https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html This is likely due to a TCP FIN packet arriving after firewall has removed the connection state. This happens because on occasion a packet will be lost, and the retransmits will be blocked because the firewall has already closed the connection..... if you have trouble connecting to that pc you could have asymmetric route and you need to investigate and resolve that problem.

@Optimus-Prime The only way I can think of is to provide static address mapping so that all the IoT devices are in one part of the address block, so that they can be filtered by address.

you can't 2.3.2 eol since October 31, 2018. you need to install 2.4.5-p1 if your system is 64bit capable otherwise it's time to upgrade you hardware New vulnerabilities are discovered continually, so the longer an unsupported release is in use, the more likely it is to be affected

@johnpoz Thought it might be useful to provide an update on this.. I did some more investigation (mostly packet captures), and it seems that I am unable to connect to a handful of Netflix CDN servers that my iOS devices are pointed at when initiating a stream - the CDN servers in question are hosted by my ISP. It doesn't appear to be a routing problem as I am able to connect to some servers that are in the same subnet as others that I am unable to connect to (well, I assume that they are in the same subnet, I can connect to one ending .25 but not one ending on .21) so perhaps some rogue ACL or badly configured IDS /shrug (i am able to open a session to the .21 address from outside my ISP's network, so it's definitely there and responding, just not to me when i am on my ISPs network...) I've managed to find a handful of other users who are having almost identical issues at my ISPs support forums so will follow up there The likelihood of getting hold of someone on the phone that can actually troubleshoot this at their end is pretty much zero, so I'll just keep hammering the forums over there in the hope that someone responds :) Thanks again for the responses.

Hi, What is the bad name ? You're using some char that not valid for a host name of a device ? Consider using plain 'standard' asci. See also https://forum.netgate.com/topic/85672/dhcpleases-bad-name-in-var-dhcpd-var-db-dhcpd-leases Btw : Isn't this a 'DHCP and DNS' question ? Or do you have firewall issues ?

Did you check pfBlocker Logfiles? -Rico

@AbhishekJaguessar said in Blocking an IP Address or Website on pfsense: how do i block or restrict an IP address or website on pfsense Hi, Please describe in more detail what you would like, as your request is very general. Anyway, there are many solutions to your question, just we look for the best this is the target. BTW: I would say that pfSense is not a portal, it is a NGFW, anyway (of course it has a good GUI, - (= portal?) for easier handling) but the SSH is the god

@justsomeguy said in little confused about how pfsense handles broadcast packets, particularly with bridges. couple questions...: ARP is a layer 2 broadcast. Getting back to my original point, ARP has nothing to do with IP. All it does is map an IP address to a MAC address, but can be used for other things to. Regardless, it's never let off the local LAN, as anywhere else it's meaningless. There are plenty of other layer 2 things that have nothing to do with IP. For example, if you have a managed switch, you will likely see spanning tree frames or equivalent.

I have now been using the new "Coservative" firewall settings for over two weeks, and I can say with confidence that it 100% fixed the problem with my Samsung Galaxy S8+. No more issue with texts. No more issue with wi-fi calling. Everything works exactly as it should.

@alan-t said in Which Interface should the rule be on: (preconceived ideas are hard to ditch !) Yeah - if what your use to is host firewalls, then I can see where it might be different way to look at it. Stop app X from doing that.. Which would be leaving the host. While you could stop lan from talking to opt via floating and doing an outbound rule on opt. It makes more sense to just drop it as it tries to enter the firewall.

Thank you cburbs and sorry for posting so late. I have not tried removing the SNORT and now I am experiencing something even more interesting, the same situation when I try to stream AMAZON videos, now this time I just leave the TV on and after a few seconds, say about 50 seconds to a minute, it start playing the videos so it looks like at first it blocked the packets but then, somehow it let it thru.

@jmarston said in Source/Destination Interface and IP Range: This doesn't really work for me as I have multiple interfaces. So create an alias, add all concerned networks to it and use it as destination in the rule.

@soyer2020 said in Block team viewer: How to do for block the team viewer by Port number? or URL IP? Hi, Teamviewer uses this port by default: TCP / UDP 5938, if this port is not usable it switches to 443 (or last but not least http 80) - so manipulating ports is not really a viable option. (you cannot block on these ports 443/80 ) On IP basis, the situation is no easier and difficult to follow (known IP ranges): 178.77.120.0/25 159.8.209.208/28 92.51.156.64/26 perhaps the best method: blocking DNS queries for *.teamviewer.com (with pfBlockerNG)

@Datastream101 When you're talking about CCTV cam, I presume you mean a web cam, which you can access via HTTP using a webbrowser, right? But you won't be able to tell the webbrowser or moreover the OS it is running on to use a specefic source port. So if that isn't a special software which is accessing the cam, but a normal browser you will have to set the source port to "any" to get these rule applied. @Datastream101 said in Ports open But / Default deny rule IPv4 (1000000103) blocking: When I've been creating the rules I was greeted with "is not a valid redirect target port. It must be a port alias or integer between 1 and 65535." so it mentioned "This is usually identical to the "From port" above. The "From port" is not the source port. pfSense let you specify a port range for the target by entering a from and to port. But if it is only a single port only enter it once at "From port" or enter the equal at both. Don't know what the IP 192.168.0.3 is in your network, but entering the equal at source and destination is useless.

@johnpoz yessir, thanks for your help!

Well, at the risk of tempting the gods, the issue seems to have suddenly stopped and only lasted a day. All inbound calls have been working, no IP's from my provider have been blocked by PFsense. I do not have any rules running to allow it, it's on default deny. I agree that I would rather not meddle with my WAN firewall rules. I'll keep an eye on the issue and see what happens. It could have just been a fault or siproxd going haywire, I don't know.