Yeah I would assume when you say guest is wifi.. This would be done on the wireless.. unifi you would have to enable guest policy. On a wired network is often called private vlan.. Neither of these options have anything to do with what pfsense does.

@Gertjan it really is, so correct wording - Not installed

@viragomann That where I was thinking, too, tried lots of stuff, minus hybrid mode. I finally found the issue. In System | Routing | Gateways, the default gateway had to be set to the WAN_PPPOE gateway. I don't think I had changed anything from when it was working with WAN on DHCP, so apparently PPPoE is special and you need to specify that here. It never occurred to me since the WAN is able to reach the Internet which means it does have a default gateway. I've never seen the need to set a default gateway in a second place.

@bmeeks Thanks for your feedback, I'll try your suggestions! And I can narrow those down to just a couple: DHCP is set to almost default - it hands out it's own ip address as the default gateway. I didn't want to use the ISP's DNS servers, preferring to specify my own (used to be OpenDNS now Cisco Umbrella, 208.67.222.222 and 208.67.220.220). I've since changed to Google's and CloudFlare's as they support DNS over TSL - I HAD that running fine for ALL hosts on the network - except when the Roku TV came along. It's again important to note out of the box, the TV (wired to the WiFi router, NOT WiFi), promptly connected to the internet, downloaded and applied an "update" all on its own, restarted, only then could not access the internet ever since as long as pfSense is the firewall. NO other changes! All other hosts still have internet just fine also with no changes. Since that time, pfSense DNS Resolver and Forwarder are disabled. I've tried letting the TV grab an ip address via DHCP from the lease pool - it does, shows the proper default gateway (no ability to show much else), cannot access the internet. Phone hotspot via WiFi: internet works. Swapping pfSense to an old Cisco Pix - internet works - with the same WiFi router connection (wired to one of its LAN ports). I've since plugged the TV directly into the LAN port of pfSense, eliminating all other devices. It obtained a pfSense DHCP address and proper gateway . . . no internet. That entirely eliminates the WiFi router as the culprit. I hear you about tinkering with DNS settings - although I'm rather new to pfSense, I do know DNS rather well (running many DNS servers myself in my day job, mostly Windows) plus configuring many corporate outside DNS configurations for outside-facing DNS for their domains). Something has to be set correctly - again every other device has internet access no problem - ONLY the TV does not, only when connected through pfSense. I just tried using my phone hotspot, connected the TV via WiFi - internet works. We also know it can connect using the old PIX firewall (also a DHCP server and NAT device). I'm running pfSense 2.4.5-RELEASE-p1 Taking your suggestion, DNS is at "default" - IIRC. General tab is blank for all DNS items, all boxes unchecked. Services/DNS Resolver is enabled, all top checkboxes unchecked. Interfaces set to ALL ALL. Only "Register DHCP leases in DNS resolver" is enabled, and "DHCP static mappings in DNS resolver" is checked. The TV does not have a DHCP reservation, it (IS) obtaining a LAN ip address from the DHCP lease pool. Currently ethernet connected. As always, other hosts access the internet just fine. My own laptop I'm posting this message with. I renewed my pfSense DHCP address, and changed from specified DNS addresses to only the pfSense ip address (DHCP server, default gateway, and the only DNS server are all the LAN address of pfSense (192.168.30.1). System Logs/Firewall/Dynamic: Filter, enter my LAN address and I see lots of activity of course. Enter the TV's leased address and NOTHING appears in the firewall logs. ????? On the TV screen it verifies the same ip address and default gateway (and MAC address). I just don't understand why this TV is unlike every other device on the LAN, wired or wireless, that it just won't seemingly attempt internet access but will show up as reaching the firewall. The same TV, connected either through the exact same connection can promptly access the internet with a different firewall (still wired the same), or wireless through a phone hotspot. The problem points squarely at pfSense then.

A /15 makes zero sense to be assigned to any device... Do you have something close to 130K devices on this network? Really? Use something realistic.. How many devices do you have on this network? How many might it grow too? Such a mask is something you might use on a route summary, or firewall rule with a bunch of downstream networks.. Not anything you would ever use on a single L2..

So I finaly discovered what was causing this, and it was from Ubiquiti AP, with this option checked: [image: 1593090295142-6fb77267-2f34-48d4-b72f-5f859700b44a-image.png] After being enable, to unable, it was necessary to restart all WIFI current connections. Doing that it worked like a charm. I have set that option because there was a diferent icon associated with devices connected to that wireless network, but I was not expecting that there was rules being applied since I am only using Ubiquiti APs, and not firewalls. Thanks anyway for the help.

Just follow the official guide here https://docs.netgate.com/pfsense/en/latest/nat/forwarding-ports-with-pfsense.html -Rico

Oddly enough.. I rebooted the fios router just now just to 'see' if that was an issue.. and it works perfectly.. arg.. =) at least it works.. Tech I tell ya!

@johnpoz Help in this matter would be greatly appreciated.

@JKnott said in I am seeing external IPs as source on my LAN interface: @IsaacFL said in I am seeing external IPs as source on my LAN interface: No, that isn't my WAN address. Mine is a Spectrum public ipv4. Then what are those 172 addresses? Are we looking at your WAN or LAN interface? Either way, it doesn't seem to match what you're saying. Maybe if you draw a sketch or something, we might have a clue about what you're talking about. So my Windows machine shows that it has 2 interfaces, and Ethernet which is the actual used interface and an additional virtual vEthernet interface which I can't get rid of. The 172 addresses are on the Win10 vEthernet Interface. On sign on, it seems to set up 172.random.1/20 on the vEthernet. Currently many reboots after above, it is 172.29.112.1/20 Sketch of my network. [image: 1592800863922-2020-06-21_213450-resized.jpg] It is basically a Hyper-V host with pfSense as a VM. 4 port NIC is dedicated to the pfSense, with 3 of the interfaces going to a switch. 4th interface goes directly to the cable modem. This only shows the ipv4 as I don't think the ipv6 is involved. The IPs of the pfSense are LAN 10.23.10.1/24, IOT 10.23.30.1/24, VIRT (internal to Hyper-V host) 10.23.64.1/24 The WAN interface is from Spectrum in the 72.132.XX.YY/19 subnet. Since earlier, I did a clean install on the pfSense VM using the recover config from file. It still has the same type of traffic as I posted above. I tried deleting the virtual interface but on reboot it comes back. I think it is a vestige of having Hyper-V installed at one time. The virtual interface on the Win10 does show traffic going out the interface in the 10Mb/s range for a burst when I log on the task manager. I did power off the Win10 machine for 15 minutes, then restarted. I noticed nothing in the logs until I signed in after boot up. So pretty confident it is the win10 machine. Also the only other devices on the LAN are the Hyper-V host itself, and the mgmt. interfaces of the netgear switchcand the cisco wap.

@viktor_g Once I read about the cert issue, and that it is an external issue, I decided to just use the http (80) link to ipdeny at least for now. I am not concerned about the country ip list being encrypted and figure they will probably fix it at some point.

@bingo600 And just like that, it works. I was starting to suspect that when the software said "WAN net" it didn't mean the network connected to the WAN port, but rather WAN IPs. I was still stuck in a rut trying to do everything with one rule, though. Thank you for the help!

So they don't want you to nat, but you can still have a firewall.. Which you could just block all their scans with anyway ;) Be it transparent or not.

Thanks a lot..It worked!

@bmeeks Thanks, though I liked the challange it was easier to just buy a switch for 10 bucks instead of trying to use my modem... Working now. @noplan One via Internet always works but has delay. Looking for the top one. [image: 1592468078645-a0d55c26-953c-49f5-a205-a5ab49fd7554-image.png]

@ThaPlexor It means any ip address except pfsense_admins will be blocked.

thank you i have taken a look through this before i will try moniter logs better the vm machine has 2 programs a cctv web server witch is fine but game server is not i have feeling maybe isp blocked udp of sum ports i had same issue with teamspeak as well

Use 'any' as a destination. This won't stop 192.168.2.21 from pinging all device on it's own LAN - something you can never stop, but not pfSense or elsewhere, higher up.