@EmptyWallet said in Can't enable IPv6 Configuration Type for OPT1/OPT2?: So, how should I set those two up? That depends on how you set up your network. Do you want to use one of your global prefixes? If so, you have to use track interface, just as you do with the LAN.

Odd that a game would broadcast to a apipa network like that from its rfc1918 address. quick google for that port points to Logitech Arx Control software?? Sending out such nonsense..

If I were doing this, I would make an extra VLAN, like you did. It's the management VLAN. Make sure only your computer(s) can get to this VLAN by setting your smart switch ports to only hand that VLAN to your computer(s). You also have to add the VLAN settings to your computer's network card. Then, on the VLAN's firewall rules, all you have to do is use 1 rule - allow that VLAN to any destination. That should let you do what you're trying to do - get to any network on the firewall, using any port and/or protocol. If you want to block this management VLAN from getting to other networks (like really private ones, or the internet as an example), put these block rules above the allow any rule. Basically, I think what you're trying to do is make a separate LAN interface, but only usable for management activities, and then only connect your computer to it. Jeff

Hi, I wanted to keep workstation with static ip ( current state) because we use network rendering and etc, but to block all connection from these computers from lan to internet but than again to allow them to use browser to surf the net So at the end everything is same as in these pictures above, just added rule to allow 3128 port for proxy and turned on proxy authentication. So at the end only connection from these workstations are thru proxy which have to be Authenticated Thanks for help

@bmeeks said in Traffic Analysis: The bottom traffic log (the one with ports 67 and 68 over UDP) is a DHCP request. This is normally benign and even expected. The middle traffic log (the IGMP Bogons block) is a multicast "All Systems" broadcast. The top log entry, at first glance, appears to simply be out-of-state traffic and is normal with some web sites as they try to keep pushing ads to you. Nothing you posted indicates a rootkit to me. It appears to be normal network traffic. Thanks for the reply.

This is also in the Docs. https://docs.netgate.com/pfsense/en/latest/book/config/what-to-do-when-locked-out-of-the-webgui.html -Rico

Glad you have it working now. -Rico

@Gil said in Port Aliases: I can't make one firewall rule for a service that requires a mix of tcp and udp ports. While it would be handy, the rule generated has the port separate from the protocol: block drop in quick on em0 inet proto tcp from 10.0.0.0/24 to any port = netbios-ssn flags S/SA label "USER_RULE: Block SMB outbound". So if it were to work pfSense would presumably have to generate multiple rules, one for each protocol. That said, it generates multiple rule/lines for rules with one protocol and two ports. :) (https://docs.netgate.com/pfsense/en/latest/firewall/viewing-the-full-pf-ruleset.html)

So after some more research, I seem to be looking for NAT Reflection. Only issue is, I need UDP packets as well as TCP packets, and in my case, it seems like only NAT + Proxy works for me. Nat Only will not connect.

Firewall Rule processing is: Floating Tab Group Tabs (OpenVPN for example) Interface Tabs So if you have any-any on your OpenVPN group tab traffic will never hit the OpenVPN Interface. Which Interface is your screenshot showing? -Rico

OK did some more tests.... and found some interesting stuff. Seems like more than one client on DMZ will cause similar entries in pfsense's firewall logs. At least, I know this is not isolated to a single machine. When one of these client (laptop) is connected to DMZ via wired connection (using ports 23 or 24 of my Procurve switch), I dont see any RA, PA or TPA log entries... EDIT: False... I just refreshed the logs and still see tons of these entries while laptop is wired. Some background on network & pfsense setup: LAN (PVID100), SEG (PVID200) & DMZ (PVID 300) are VLAN's based on OPT1 physical interface. DMZ clients gets an IP under DMZ by either connecting to ports 23 or 24 of the switch, or by connecting to a Unifi AP which broadcasts 2 tagged networks (LAN + DMZ). Port 02 of the switch carries most of the clients and belongs to all VLAN's but is not tagged so to allow IoT... Port 01 is tagged to be able to "talk" to pfsense's VLANs which are tagged. [image: 1587764406902-screenshot_2020-04-24_17-38-15.png] VLAN configuration on the managed procurve switch is: VLAN Configuration: Port Aware PVID Ingress Filtering Frame Type 1: enabled none disabled Tagged 2: enabled 100 disabled All 3: enabled 100 disabled All 4: enabled 100 disabled All 5: enabled 100 disabled All 6: enabled 100 disabled All 7: enabled 100 disabled All 8: enabled 100 disabled All 9: enabled 100 disabled All 10: enabled 100 disabled All 11: enabled 100 disabled All 12: enabled 100 disabled All 13: enabled 100 disabled All 14: enabled 100 disabled All 15: enabled 100 disabled All 16: enabled 100 disabled All 17: enabled 100 disabled All 18: enabled 100 disabled All 19: enabled 100 disabled All 20: enabled 100 disabled All 21: enabled 200 disabled All 22: enabled 200 disabled All 23: enabled 300 disabled All 24: enabled 300 disabled All Entries in permanent table: 1: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 100: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 200: 1,2,21,22 300: 1,2,23,24 Did I miss something or misconfigure something in there? This setup has been operating for over a solid year now, and before last week, I never truly had any issues to be honest. I also dont see any problems with my LAN clients The only clients showing the log entries are those connected to the Wifi "DMZ" SSID... I never really trusted the Unifi firmware for multiple SSID broadcast and VLAN tagging....

I came across this too and believe it's because the rule only stops new sessions from being created, you would have to somehow close existing states or recycle the session table. I tried to find a way to do this but in the end I just had a cron to kill sessions from the perticular host, using this command: pfctl -k host1 -k host2 I wish there was a better way, but that's all I came up with, and I won't say it's the best or most reliable solution, but much better than rebooting the firewall or killing all sessions and having that nice interruption.

@JKnott said in Create rule with bogons: By default, pfSense blocks everything incoming. True on the WAN. But on the LAN it allows every destination. In other words, a LAN host can send a packet to a private IP address and pfSense will dutifully forward it out the WAN if there's no matching local route. rfc1918 says you should not do that. @JKnott said in Create rule with bogons: Also, the ISPs should also be blocking those addresses. What if pfSense is the ISP? @Rico said in Create rule with bogons: Hmm I think his questions is how to use the bogons table in own Firewall Rules. Yes, that's the question, and that would be lovely.

Yeeepp for sure. I was just curious at all, what do he see directly from the firewall, if he ping the google

Update: Rules from my DEV interface copied to PROD (formerly OPT5) interface. Added rules for FB Messenger to function. Disabled the default Pass any rules at the bottom. Email- check Push notifications - check Address book sync - check Calendar sync - check Apple TV- check FB Messenger- check! There is a slight pause before a YouTube video plays, but I guess that's to be expected with all of the rules to go through along with the port ranges specified on the list from Apple. I have the more specific rules at the top with more general rules with port ranges at the bottom. Going forward, I'll keep an eye on the rules that don't get touched and disable them. Thanks to everyone for their input.

So you blocked traffic by creating your own rules, and disabled the default one that allows all. And then didn't get why stuff didn't work? That's correct. I followed a tutorial that didn't explain that disabling the default rules has consequences. Now I am glad I had this happened because all the research and head banging taught me more about the network management. If you post a screen shot of your lan rules - we can discuss them if you want. I appreciate your offer. I do not wish to trouble you. Your first comment caused the light bulb to go on, so thank you