"Best practice" vs "Acceptible". Both are correct as they are different scenarios. Should you filter ICMP so only specific types are allowed? Sure, if you want to be strict/most secure (Best practices and all) Is there enough danger to warrant filtering them like that? Probably not, so most people don't bother, so allowing more is acceptable to many people, even those with general security concerns. pf allows related errors and such back through state data anyhow so most people really only need to pass echo requests explicitly for IPv4. IPv6 is much different, you pretty much should be allowing everything there for ICMP as it's compulsory. pfSense drops in a bunch of ICMPv6 rules to pass the bare minimum, but passing all ICMPv6 is not bad unless you're trying to stop others from getting ping responses for local hosts. The rules from pfSense are to make sure you don't shoot yourself in the foot and break IPv6 with bad rules.

@serbus said in Is there a way to access the Bogons list as an Alias to use in a Firewall rule?: Hello! I dont think pfsense makes an alias. It looks like it is loaded directly in via pfctl. See /etc/rc.update_bogons.sh. However, you can make your own URL alias with https://files.pfsense.org/lists/fullbogons-ipv4.txt You could also copy the /etc/bogons file to a local web accessible location and then create a local URL alias like https://127.0.0.1:443/mywebfiles/bogons John Your suggestion to download from files.pfsense.org looks like the best way for me. I disabled the "Block Bogons" on each interface, so pfSense shouldn't be downloading on its own, and then created my own URL Alias.

So the desktop and server are in different subnets and the traffic has to pass pfSense. So just add a firewall rule to the interface the desktop is connected to which allow access to the desired ports and protocols.

Thanks for the idea. But my ISP had serious problems with ISAKMP thru their router, so I migrated to OpenVPN.

@Derelict said in Non-RFC1918 LAN: possible?: Just run through the setup wizard and change the LAN to that. Nothing special about it. Should renumber it though, of course. It is allocated to Hewlett-Packard for future reference when they can't download printer drivers or something and you are pulling your hair out. Yes, I am aware of that and will recommend that. After I only plugged in my laptop the filter logs were silent so I assume it will just work there. Currently the package is on its way ... test follows later this week. Thanks.

@asghardurrani said in LAN Network Not Accesiable from OPT1 OpenVPN (tun): I hope one should understand my issue? Noob here: when you have no gateway at 10.0.1.0/24, how should 10.0.2.0/24 be reached?

thank you anyway for answering to my nooby question. :-) the matter is solved then.

@stephenw10 said in Shell Bypassing Firewall Rules: 10.0.0.0/8 is probably wrong unless you have a number if subnets that are inside that as internal networks. If you're not using any 10.x.x.x subnets then you don't need those at all. Remember they might be VPN tunnel subnets which you might need to NAT'd for internet access. Steve Ah, and sorry for the delayed response. Think I'll just leave them, doesn't seem to hurt anything if I do. Also thanks for all the help, really appreicate it! :D ^.^

With such a capture you would be capturing everything but only 100 packets, so you would prob miss your traffic.. Since I would assume lots of traffic is going in and out of your wan. Even just pings would fill that up quickly since you monitor 2 pings every second, etc. On your sniff set the host to the IP it resolves too so you only see traffic to and from that IP.

i'm guessing somehow the alias is corrupted. illegal characters in the name or the content of the alias that aren't handled/catched by the gui remove the alias, create a new one, try to find the problem

@fuxxociety said in Trying to tunnel bittorrent through VPN interface: I think the rules are configured to achieve what I want, but I'm still not able to establish any peer connections on the client. I was thinking of setting a fixed port(s) and making rules for it... [image: 1596735747523-c8085fb8-01fd-433f-bd9b-5475dc5fc819-image.png] For me, that's how Deluge works

Ok, guess it's no issue at all. I recreated that 'Catch blocked packets that should be allowed' rule with 'WHOME net' as source and it's the same behaviour. According to https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-for-legitimate-connection-packets.html it's normal behaviour.

@kapvcop @kapvcop "I need to have at all times a clear view of the traffic that is happening," you want more than a "sysadmin" task... (with logs) ???, !!! @johnpoz, from an IT standpoint, give you a chance... everyone can and will do it.....read dry log files... clearly define what you want to see..... (I say only, because a firewall can do more than you think)

Ok my mistake understanding the "default" option. So if it follows the routing table then PfSense has two legs on that are both reachable correct? You are correct my friend..finally thanks thanks thanks. [image: 1596488223819-screenshot-at-2020-08-03-23-56-01.png]

Well that is just the default, with pfSense you can adjust almost any setting. :-) 10:48 AM here, but good night there. ;-) -Rico