put them on the whitelist: *.workplace.com 80/443 *.facebook.com 80/443 *.fbcdn.net 80/443 *.fb.me 80/443 *.fbsbx.com 80/443 *.workplace.com *.facebook.com *.fbcdn.net *.fb.me *.fbsbx.com like: https://www.facebook.com/workplace/resources/tech/it-configuration/domain-whitelisting

@johnpoz said in Default deny rule IPv4 (1000000103) except ICMP: @dg6464 said in Default deny rule IPv4 (1000000103) except ICMP: If anyone finds a way around the asymmetrical routing issue Yeah don't do asymmetrical.. You already mentioned the fix.. Would adding a true /30 transit network as say “VLAN33” between the firewalls fix the issue? If your going to have a downstream router.. Then yes it would and should be connected to the upstream router via a transit network (no hosts on this network) If your going to put hosts on what is your transit network.. The network between 2 routers is always a transit network.. Hosts don't belong on a transit network.. If your going to do that - then you need to use host routing, ie routes on these hosts to tell them which router to use to get to what network. Or you have to nat all downstream networks via the IP of the downstream router in the transit network.. So this host on the transit doesn't know about them, nor does the upstream router.. I think it was youhere who gave me the same advice once. It was the best thing I've ever learned. There are so many possibilities and zero NAT problems. <3 Thanks!

@johnpoz Thanks! I successfully created an isolated network by creating a VLAN based on my LAN, and set the VLAN tag in managed switch.

Hi as you mention .. do you have another ISP connected ? if so .. do your earlier troubleshoot , plug you laptop direct to the ISP and try to download a 10 Gb file from test speed sites (i am in sudan the difference between download and upload = 1/10 ) .. so if you have 1 Gb connection , should be 100 Mbps when you download the 10 Gb file Try to do this in the rush hours . If you satisfy about the bandwidth .. back it to the pfsense and try same 10Gb file from inside your network .. should not far from 100 Mbps (70-80) Note : there is no need to expand your compute resource while it is 0.5 good luck

@johnpoz This is strange because in DHCP for the internal subnet I have configured external DNS servers.

While captive portal could be blocking.. You clearly have issue there with only allowing tcp.. Unless your client is doing doh or dot there is now way he could get any dns.. DNS runs on UDP 53.. You can see right there in your block 53 to 8.8.8.8 was blocked.

@johnpoz said in TCP:S vs TCP:FA: Why do you have all your vlans on both interfaces in hyperv? Only network that should be on wan is the wan network.. Corrected the Interfaces: [image: 1590614375115-2c9c43ef-695c-44f1-b1bd-bd43de13856c-afbeelding.png]

[image: 1590532059356-capture3.png]

Seems like I just cannot ping/access the switch from LAN. I connected another computer to VLAN 10 and I can ping that computer from my computer on LAN.

Thanks man!

@JKnott Thanks.. I had to re-configure my Cisco Router Interfaces with vlans and access lists then I managed to go through well. Thanks much

@Gertjan ok sir i will thank you very much i will

Sure.. But that would have nothing to do with the camera's normal IPv4 address.. You stated "move this traffic from say 192.168.x.0/24" like you were going to change the devices IPv4 address to a multicast address.. You wouldn't do that - the device still needs it normal IPv4 address. What multicast address space you want to use for multicast traffic has nothing to do with that. As to anything you would do on pfsense.. Nothing.. devices on the same L2 talking multicast to each other would have nothing to do with pfsense. Also not sure why you would use anything in 225, that is reserved multicast space.. If want to create multicast groups, does your switch(es) support IGMP snooping, or wireless? I woulds assume your camera's talking multicast anyway.. There is no reason to specify which group they are on (via address) unless you have multiple multicast streams on this L2 network, and your wanting to have your switching infrastructure limit which devices see what streams by allowing the devices to join a specific group..

But sure not right away seeing the wol packet leave pfsense got you wondering if was actually going out on the wire.. But going forward you can sniff them on pfsense, you just have to look for them specifically or they can be easy to miss.