@kdmiller61 said in Port forwarding: forward ALL ports All you need to forward are the ports the application needs. Do not forget to check also TCP and/or UDP. If that is not clear or unknown, then the real issue is : the 'application'. https://docs.netgate.com/pfsense/en/latest/nat/forwarding-ports-with-pfsense.html tells me that : [image: 1584694165513-f362cca7-5ff0-4c7a-82e5-90a7e7979865-image.png] should work. This is what is called on other routers a "DMZ" rule. edit "1024" could be changed for "1"

Aha, I figured out why the MGMT net rules were not working. I had edited my config.xml and renamed my opt interfaces. After switching the naming convention back to opt1, opt2, ..., we achieve normal operation.

I've been searching around for the answer to the one minute outage for rule application between 23:59 and 00:00. In my pfSense 2.4.4 setup, I've disabled the default allow all rule and I'm using allow rules for access (based on other guidance I've seen related to states referred to in this post as well). I have two groups of IPs, restricted and unrestricted. I have the restricted group set for 05:00-23:59, 00:00-01:00. The unrestricted group is set for 00:00-23:59. Everything loses access for the one minute between 23:59 and 00:00. Is the only answer to go back to block rules with some sort of cron to kill states (although I've not seen a definitive answer that this will work either)? That seems a bit overly complicated to achieve something so simple. Sorry if this has been solved somewhere. I just haven't been able to find it.

@stephenw10 thanks for an easy answer. :D

@kurppa Awesome!

@viragomann Thanks for the reply. I already have manual outbound NAT rules configured for the interfaces. Everything is working fine but if I apply an outbound pass rule on any of the interfaces traffic goes out but doesn’t come back in. When I have time later I’ll check my firewall logs to make sure traffic is hitting the firewall on return.

@johnpoz ok thanx

are you sure? show a screenshot of wan firewall rule maybe you have another rule that permit icmp

@bmeeks said in pfSense BLOCKS this kind of traffic, or just monitors it?: @uxm said in pfSense BLOCKS this kind of traffic, or just monitors it?: @bmeeks said in pfSense BLOCKS this kind of traffic, or just monitors it?: @uxm said in pfSense BLOCKS this kind of traffic, or just monitors it?: @bmeeks The "block Offenders" setting was unchecked. So I changed it to "Legacy Mode" and also checked "Block On DROP Only". But, the ET Compromise will not be blocked right? If you enabled the "Block on DROP Only" option and did not also use SID MGMT to set rules to DROP, then nothing will get blocked. It sounds like you are really new to using an IDS/IPS. I suggest you do some research on Google and learn how this technology works first. Your questions about the IDS/IPS package and your other posts in this thread about security for RDP indicate you may be very new to network security. Your setup as you have currently described it is very much not as secure as it could and should be. Yes, its a very new field for me. I try my best learning more (though I dont have so much time) Thanks @bmeeks Nothing wrong with being new to a field. All of us were also, at one time, new to this field. Spend some time searching for and browsing related links on Google to learn some more about the technolgoy. The very first thing to learn about is what are VPNs (virtual private networks) and how they are used to enhance security for remote connectivity options such as Remote Desktop on Windows and other scenarios where you need remote access back into your LAN. You really, really need to be using a VPN for any kind of remote access from outside back into your local network (your LAN). Pretty much nothing else (such as obscure port forwards) is as secure as a VPN. pfSense gives you everything you need, out of the box, to configure a secure remote access setup. Then read up on stateful inspection firewalls and how they operate. pfSense is a stateful inspection firewall. Then learn about the default-deny rule on the pfSense out-of-the-box WAN configuration and how that pretty much stops any unsolicited connectivity into your network. Only when you enable port forwards or otherwise monkey with that default deny rule do you open yourself up to external attack. Only turn on the IDS/IPS package much later after you gain experience in this area. And even then, at first you should always run an IDS/IPS in detect-only mode for perhaps as long as a month to see what traffic patterns are "normal" for your network and to see which rules are being triggered. It is likely a number of triggered rules would actually be false positives and would need to be "tuned out" as you refined your IDS/IPS rule set. If you just install a tool such as Suricata or Snort and enable blocking immediately, you can expect to pretty much have all of your web browsing broken by false positve rules triggering. I will follow your advices. Thank you so much. I really need to clear my viewing on that one. Update : I have just setup my OpenVPN Server configuration and created my VPN user. Also exported the OpenVPN client for Android (my phone) and Windows (my work PC) and everything works super. Thanks! :) PS : one problem though.. At work, I have two Internet Connections. The "production" connection (with ASA Firewall configured from the company that supports us) and one "off production, backup" internet connection. I use the "off production" connection. I connect but there are many disconnections/connections while I am connected... every 5-10 seconds..

Hello! Look at the contents of your alias tables under Diagnostics -> Tables and make sure they are correct. Check to see if you are affected by this: https://redmine.pfsense.org/issues/9296 John

Thank you all for your help guys. I will check if I can run my ASUS as a modem only. I bought it 200 euros, so it is hard (psychologically) to move it away. haha thank you !

Thanks

just out of curiosity, what are you going to achieve by saturating your own internal network ? in the worst case scenario you will just make your network unreachable and there is almost nothing you can do to mitigate, only stop ddossing yourself but , and this depend on what kind of ddos you want to use, there are various tools to simulate a ddos attack and learn to defend yourself with suricata and snort for example https://sourceforge.net/projects/ddosim/ -> application layer attack https://github.com/markus-go/bonesi -> layer 3 and 4 attack other tools like hping, can make syn flood the major problem you will encounter if you do it at home is machine power ...