Yeah no problem - not meaning to call you out or anything... See that sort of posting of rules all the time... Or many like to use ascii art ;) Hopefully some other users see this and when they post their rules post them so that very easy to instantly see what is going on.. The other pet peeve is when they obfuscate the rfc1918 space they are using ;) Dude not sure what movie you watched or what tinfoil hat blog your reading... But showing that you using 192.168.1.0/24 and that your PCs IP is 192.168.1.100 isn't going to let anyone hack you ;) hehehe Specifically showing that PC 1 is 192.168.1.100, and what your trying to talk to is 192.168.2.42 is helpful vs [image: 1602520457937-confusing.png]

Hello. When I build tunnel in tunnel with OpenVPN clients For example: VPN1 (Remote IP 10.10.10.10) Remote Network(s): 11.11.11.11/32 VPN2 (Remote IP 11.11.11.11) Remote Network(s): 12.12.12.12/32 VPN3 (Remote IP 12.12.12.12) How do I set up a KillSwitch that first lets VPN1 through, then VPN2 and finally VPN3? Greetings John

from what I can understand the interface is assigned but not enabled you should have LAN and OPT1 interface available under the firewall rules tab Check the flag "Enable" in the interface settings After assigning the OpenVPN interface, edit the OpenVPN server or client and click Save once there as well to reinitialize the VPN. This is necessary for the VPN to recover from the assignment process. <- the openvpn server will stop working until you restart it after enabling the interface, pay attention if you are doing it from a remote location https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/assign.html#filtering-with-openvpn

Don't think its pf 2.5 thing, since I am on 2.4.5p1 But yeah lots of info missing here to guess even.

I just saw this https://forum.netgate.com/post/939135 Seems like you can enter a range /Bingo

You need to look in your actual aliases.. Once you add a feed to your list, its in your list.. Even if it was removed from possible choices of feeds. While I am not a pfblocker expert by any means.. I would check say here, and validate that 1000 feed is not being pulled [image: 1602103892220-lists.png]

Change DHCP lease to static: https://docs.netgate.com/pfsense/en/latest/monitoring/status/dhcp-ipv4.html#add-static-mapping pfSense by itself can resolve IPs and you can block/allow by IP. It's more complex to do for URLs but one can add a fake DNS hostname to override the domain and resolve to nowhere/127.0.0.1 or similar. Perhaps a proxy like squid would help. https://docs.netgate.com/pfsense/en/latest/packages/cache-proxy/index.html https://docs.netgate.com/pfsense/en/latest/packages/cache-proxy/squidguard.html If you can find lists of IPs to block by content then you can use pfBlocker https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html or just create an alias using the list URL and pfSense will attempt to download it. https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html#url-aliases

@renpen That's a NAT rule. pfSense analysis the incoming packets. Each has a source IP and a destination IP in its header. In a NAT rule you instruct pfSense to forward a packet to a specific host behind if it has a specific destination IP. Now, you address your access to your public WAN IP. The FB forwards it to the pfSense WAN IP (it rewrites the destination IP). So the destination IP pfSense sees is the WAN address.

as i said , you do not allow multiple vlans on an accessport if you want to prevent this clusterfuck then just use 2 seperate ports ....

@DavidB said in Can't stop Web-Configurator on WAN: ... which require port forwarding (80/443) A faulty NAT rule might explain what you're seeing. Reset again, and do not change anything. Just make the WAN work and that it. Check that the GUI isn't available from WAN. As it isn't by default. Now add your own settings, pause after each step and test. You'll hit the "shouldn't do that" point rather easily.

UPDATE: I have corrected the problem by restarting the firewall. I do not consider this an acceptable solution to this problem if I encounter it again in the future. Anyone know why this would happen?

hmm.... that helped me work out some of the allowed sites. gatta track down the others on the list.. gatta see why those ones are not being allowed to pass..

Thanks Derelict. It's working now. Like you said, I had to add rules to Windows Defender to allow pinging and other activity across the subnets.

Still must have been something cached. Now that I am able to replicate the issue, the only thing that works is setting up port forward. I did a generic any any, so i'll need to figure out what specifically needs to be done. I'm still not sure I understand why torrents would work while a whole client vpn is in use with no proxy, versus no whole client vpn with SOCKS5 proxy.

Show, exactly, every step you have taken, what the name is, what it resolves to on the firewall and the client you are testing with. There are no FQDNs in the pf configuration file. There is no reason for me to build it. There is another explanation for what you are seeing.

That would be the second check, first check your wan interface to make sure the traffic even gets to pfsense, pfsense can not forward what it doesn't see.

Hello Johnpoz, thanks for replying! Could you please explain the issue (or point me to relevant documentation) about "! Rules" vs "VIP"? I wasn't aware of it! To be clear: do you think this is an expected consequence or do you think this is an issue with how creates the rules pfblockerng? Thanks a lot!

@hypernova said in Is my current firewall config insecure?: automatically tracks states, such tha yep... its statefull - so it will allow reply traffic without specific allow on the wan side. your safe now. ;)

@jdeloach Hi, Thanks for your help , I just checked and I have version pfblockerng-devel 2.2.5_33, will I uninstall the current one and put the new one or do I tell you to update?