Or, as you stated earlier : what about using RFC1918 instead of using a public IP ? If the network doesn't need to be accessible from the outside, hiding it from the outside would because easier.

Thanks again everyone for your updates to this thread. It looks like I have a bit of homework to do to get things caught back up on my web server, but I knew this. My web server and firewall were both up to current on OS patches. I will be doing more digging on the webserver side of things this week as time allows. For now it's shut off and PFSense is doing its job. I do probably pay more close attention to my firewall than the average person. I try to go in and update it periodically to the most current version. I also do look at the logs on there and a do my best to make sense of any entries that don't look like normal traffic. When things were not normal, I was busy and let them be. I should have addressed the issue as soon as I noticed something. PFSense was telling me things weren't OK. I just ignored them. I did add Snort to my firewall for some added monitoring. So far it hasn't picked up anything unusual. @Gertjan I do run Joomla with an addon. I'm running shaper_helixultimate. I run their out of the box version. Hopefully, shaper_helixultimate isn't a bad addon. I believe I will be installing fail2ban once I get this thing resolved. It sounds like that is a good option to help prevent this kind of thing. Cheers! Mountbaldy

Resolved by switching Firewall Optimizing from Normal to Conservative which has stopped killing legit sessions in proxmox. It's not pfSense's fault, apparently Proxmox doesn't send headers to keep the packets alive (like say FTP). Instead Proxmox seems to play better with either Conservative mode or stateless firewalls. Thank you both for your time.

@mohyi said in Pfsense Blockin Facebook WIFI Portal: When i enable Facebook portal on the guest wifi the firewall blocks the server response PfSense is smarter than I thought!

@PiBa - real quick - yes, good news. =) And, yes, originally, you get a prompt for the client cert. it is intended. I'll fiddle with it later this evening and see if I can get everything to work.

Client to Pfsense nothing is captured Here is the thing - you could have everything blocked in every firewall rule.. Doesn't matter even if pfsense doesn't answer you would still see the traffic in a sniff.. A sniff sees the traffic before it even moves up the stack to the firewall!! If your not seeing pings to pfsense, then your not pinging pfsense IP or you sniffing on the wrong interface! If pfsense doesn't "see" the ping - how could it ever answer... doesn't matter what possible firewall rules you have in place.. Pfsense has to know its being pinged to answer - your not seeing the pings in a sniff, then pfsense is not seeing them, and will not answer something it never sees. Other thing that could cause an issue would be say wrong mask on client or pfsense (mismatch).. Is this client dhcp or static? I take it static because you say you change the IP and it works. I assume your using /24 (255.255.255.0) mask for this 192.168.77 network?

Go back to tun mode. Then, under OpenVPN, Client Export Utility, Advanced, Additional Configuration Options, add a line as such: push "route 192.168.10.0 255.255.255.0"

OK, I got it working by resetting all the stats (despite being a "Quick" rule). Also the source seems to always mean the LAN side machines seen by the router regardless of inbound or outbound, and destination the remote machines on the WAN side. I was able to refine the rule to only match destination port 1194 on UDP, and the Openvpn traffic does show up in the low priority queue.

Hi guys, confirmed, the webserver had the default /24 subnetmask, changed it and everything works now. Thank you for everything :)

@pooperman Can you, or maybe someone else seeing this tell me how to properly add this dns entry? I feel like I'm missing something. I'm having the exact problem with spotify/windows saying it's not connected to internet as described in this post, and I can't figure out how to solve it. I've tried the registry edit and a similar group policy edit I found on another forum, and neither fixed it. It may be worth noting that I'm using suricata instead of snort? But I don't think that should make a big difference. Especially since I have even tried disabling the suricata service as a whole and it still happens. This is getting very frustrating for me.

Thanks for your help.

More digging and nothing was found in pfBlockerNG. When I tested the app yet again, I did see in the Status > System Logs > Firewall, my iPhone attempting contact to another IP on port 14580. As a test, instead of creating a pass all rule on my wifi, I created a rule to pass IPv4/TCP on WLAN net to any on port 14580. So far it's working.

You have to add a static route on the first firewall for the networks behind the second, pointing to the WAN IP of the second.

@hindersahtarra said in Cannot ping LAN interface: Linksys only provide 1 subnet. The LAN side of the pfSense configured to be different subnet as the linksys. You have the desktop and WAN side of pfSense on different subnets, even though they both appear to be connected to the Linksys.

Glad you have it working now. -Rico

@johnpoz said in WoL from device on separate interface: Nope that doesn't do it.. I have plenty of dhcp reservations.. You mean this? [image: 1591458806601-staticarp.jpg] That has the problem that devices that are not listed can not talk to pfsense, ie get to the internet or any other vlan.. yes there

@MG85 said in mDNS traffic from WAN to 224.0.0.251:5353, but why? Please help.: Setting these values while you have connected the speakers joined to your wireless network (like I have, with my 2 UniFi AP AC Lites, who are the only devices at home broadcasting wifi signal) is of no added value. For me it is. I don't want them on my Unifi WiFi and I don't want them to use WiFi at all, as there are so much freakin' 2.4GHz WiFis on my premise it's insane. Thus my Unifi WiFi AP only does HT20 on 2.4 and HT80 on 5GHz and has band steering towards 5GHz. Most devices I have can use 5GHz and those who doesn't aren't that speed dependend. So the last I wanted was another 2.4GHz WiFi that's why every speaker has its LAN cabled and proofed. And if Sonos would get their shit together and actually DO what you select in their app - namely disable WiFi for Room X - I wouldn't have to deal with (R)STP or their bridging of interfaces etc. Just down that freakin' WiFi Interface if I disable it. As for "no added value": Without LAN cabling: 3 of 5 speakers have yellow/red status in their WiFi-Mesh-Matrix. With LAN and STP all speakers fall back to LAN, have better latency and ping and no bandwith problems at all (all green matrix). Shame they think they're smarter then their customers (and disabled the options to manually disable the wifi if in their speakers).

I don't know what i just did but it works find now.