I disabled gateway monitoring, but its still going!

@viragomann I removed the Xairnet address and replace it with any. I was able to send mail with no problem now thru the WAN1 port (the gateway). Thank You for your help

Hi, sorry but could someone help me? this situation is very strange, the configuration is well done but it doesn't work. Thanks.

I think I have this solved, partly. One of the disconnected interfaces on pfSense is in the same subnet as 104.37.148.83, so that's maybe going to cause a problem, although I don't see replies going out that interface, maybe because it's disconnected. The other mystery is why disabling the rfc1918 filter causes the wan to be reachable from that subnet.

The rule would be for lan only, and it would only need to be in.. Or just put the rule on the lan interface directly.. Floating tab is really for special use.. Such a basic rule has no place on floating.. And your going to want to make the rule quick if on floating.

Post up your rules.. Lets take a look see if any are just pointless.

No..

Thanks a lot Rico. I'll try that.

@Gertjan Thank you for your feedback. Not sure what the issue may have been but over night the cameras started working again. No settings changed on pfsense. It must have been something with Honeywell servers (which I originally thought) but because they connected to my phone hotspot and worked I assumed it must have been my network.

Just revisited this and it certainly doesn't make any sense intuitively or visually. There should just be a simple tick box for every day of every month :P. The whole picker process is borked BUT now that I know how it works I can live with it. I was able to get what I wanted. Thanks!

Rules are parsed from the top to the bottom. The rule in your number one spot actually makes the second rule moot because rule one already covers port 53. You need to have a rule allowing your WLAN interface out to the internet. Copy your default LAN rule and change it's interface to the WLAN_Guest interface. Place it at the bottom. Put any blocks you want above it.

That has been my experience in the past as well. It has never been an issue. I can confirm we are getting the new ip address, since I can login to the pfsense interface with the new address. This is how I disabled the firewall to check if it corrected the problem. I think I may try a complete wipe of the hdd and reinstall from scratch again and see if there is any difference. From the lack of responses, I assume this is not a common issue.

Thank you everyone for your advice, guidance, and support. I now have a much better understanding of firewall rules, firewall aliases, and interface groups. I was able to successfully create firewall rules that are permissive (allow IoT devices to connect to the Internet); but my firewall rules are not too permissive (IoT devices CANNOT interact with devices connected to the LAN subnet).

Do the VPN clients have a route to the 10.100.0.0/24 subnet? You may have to push it to the clients.

Thank you for your answer. I will create a new VLAN on my switch dedicated on specific port for this shitty device.

If this is really happening on L3 and not on L2 somewhere, a rule that blocks all traffic from that interface to 10.0.4.10/24 should help, I believe. Should be placed before the "allow to *" rule you probably have for internet access. I think that's what you also thinking of, too? I do not share your concerns, because 1. everything that happens between your clients and the Netgate isn't affected by any firewall rule on the Netgate and 2. this doesn't disturb routing (you do not "access" the Netgate for this), because neither the Netgear nor the Netgate is the destination on IP level. I usually have a rule that just blocks traffic to all private network ranges (including the own range, because I don't whitelist it) on all interfaces of the Netgate and only allow specific traffic, e.g. DNS to the Netgate. Just make sure that you don't lock yourself out of the Netgate (allow HTTPS from your "management network", but usually there is the "Anti-Lockout Rule" that does that for you). ;)