@Pizzamaka yeah it might be a bit confusing, especially on an any any rule where you don't call out say tcp or tcp/udp and its just IPv4 any any rule..

I think that was their goal with listing the rule that triggers but mentions the igmp protocol even when its an allow rule, for example your lan any any rule.

@johnpoz brilliant thank you

PS. working as now as mentioned tested with ping and looks like default is 20 seconds on ICMP.

thank you again

@Operations said in Arrow in firewall log, why?:

I created an whole reply while you deleted your post so i couldnt submit it hahaha

So basically the arrow in the log is because it is a floating rule? So no issues there and normal behaviour?

Docker server is pinging my synology because of Kuma Uptime docker.

Sorry about that. I missed the crux of your question and got triggered!
Yes, the arrow is indicating your floating permit rule matched in the out direction, i.e. traffic leaving the firewall on the 'LAN' interface and that seems to be inline with your rule definition.
If your monitoring app is on a different network segment to the target, then you of course need rule(s), somewhere, that will permit that traffic. As to whether floating rule is the appropriate location for that is a matter of personal preference.
Regarding explicit echo reply permission in rules, I have found it unnecessary, The pf firewall seems to permit the reply back in without it. But that might not be the case with two-way floating rules.

@Operations yeah pfsense not going to do anything with broadcast traffic one way or the other. If you don't want such traffic in your logs then yeah just create rule to not log it.

@johnpoz I don't remember if I had changed it from a /24 to a /22 when I originally setup the network. I want to say "I don't think so".

The clients that pickup IP addresses in the 10.8.13.x and above get the correct subnet mask and they are assigned addresses from pfSense's DHCP server, so to me that's confusing why nothing else is working for them. I want to keep pointing my finger at something at pfSense. I'm going to do a rebuild on a machine and test before I backup the config and rebuild that FW.

I have other locations setup "Cookie Cutter" only with the 2nd octet different (10.5.0.0/20, 10.6.0.0/20 ... etc..) The last range is 10.8.12.1 - 10.8.15.254 (10.8.12.0/22)

I use manual outbound nat for our VOIP setup and want static port mapping. Normally I would use auto.

@guardian I wish someone would make this feature or a package that could do it. I would use the heck out of it.

@owner-of-a_BAKERY Do you have deduplication enabled in pfB? It works but there can be side effects.

What I was trying to say was, start with a low number and see if the counts match up. If they do, add a few more until they do not match.

Not sure about the memory but I would expect it takes more memory to read in and process a list, than to store the IPs in a table.

Hi @viragomann,

I found it!

It was because of a miss configuration into my client OpenVPN connection.

Here is a post that explain what was my problem:

https://www.reddit.com/r/PFSENSE/comments/i125ig/default_route_now_set_to_vpn_client_instead_of/

I was looking into this because of this:

# route get 1.1.1.1 route to: one.one.one.one destination: default mask: 128.0.0.0 gateway: 10.4.112.1 fib: 0 interface: ovpnc1 flags: <UP,GATEWAY,DONE,STATIC> recvpipe sendpipe ssthresh rtt,msec mtu weight expire 0 0 0 0 1500 1 0

That gateway of 10.4.112.1 was the gateway of my OpenVPN client connection. When I stop the service for that VPN connection, that was the result of the same command:

/root: route get 8.8.8.8 route to: dns.google destination: default mask: default gateway: modemcable001.40-53-24.mc.videotron.ca fib: 0 interface: igb0 flags: <UP,GATEWAY,DONE,STATIC> recvpipe sendpipe ssthresh rtt,msec mtu weight expire 0 0 0 0 1500 1 0

So I made search on why the OpenVPN client was adding that route to the routing table:

0.0.0.0/1 <<VPN Interface Gateway IP>>

And I found the post tjhat somve my issue.

I would like to thank you very much as well as @skenigma for your time helping me solving the issue.

Best Regards,
Yanick

Looks like OP has double NAT and did not put ISP kit in bridge or pass through mode. Thats problem #1

I added a host oversides to access my NVG599 web GUI under DNS Resolver

Screenshot 2024-09-02 at 1.52.33 PM.png

@abcx10 does we need create a bridge and connect Lan and Wan together ?

@rwarnken as @Gertjan mentions, turning off logging of the default deny can be helpful for keeping your logs less busy.

I have it off, and just have the stuff I am interested in logging per settings on the rules, etc.

If you run into something not working and you need to troubleshoot to see if say its being blocked by default deny, turning it back on is just a click away.

@abds69 said in Filtering/Blocking & or AppID detection of DNS over HTTPS (DoH) or DNS over TLS (DoT) via Snort/Suricata:

with proxing internet flux on each computer

Great ! To circumvent DoH .... let's proxy each LAN device ....

Isn't that like : to prevent my gaz cylinder from exploding during a fire, let's throw a nuke on it.
Btw : the nuke doesn't come for free (neither).

@abds69 said in Filtering/Blocking & or AppID detection of DNS over HTTPS (DoH) or DNS over TLS (DoT) via Snort/Suricata:

restricting LAN outbound of UDP traffic on 443

Isn't DoH using TLS thus TCP ?
You should block also TCP port 443 (and 80) 😊

@vettalex said in Block internet for an ip in a certain interface:

block an IP of the OPT network for browsing the internet

Knowing that the IP is defined by you, as it is static.

@vettalex said in Block internet for an ip in a certain interface:

browsing the internet

I presume you do this with a web browser. This implies ports 80 and 443. Both TCP.

Now, all you need is a firewall, and set up a rule that states the source IP, and destination port 80 and 443, using protocol TCP.

You can use pfSense for this 😊

@Firewalldude89
if pfSense hasn't booted, or is stuck on the 'BIOS' prompts as it can't boot, then .... then you have no choice.
Like a PC stock on the BIOS level if no boot drives can be found.

But, I'm not sure if the "BIOS", or whatever loads and launches the OS found a a drive, has a 'shut sown' command.

Right now, my advise shown above is more for the next time.

Right know :
Contact TCA support to get a firmware for your 1100.
Burn it to a USB Drive, see the Netgate pfSense documentation for a step-by-step guide.
Insert USB drive into your 1100 and power on.
Normally it should boot from the USB Drive, and let you re install pfSense.
During all this, you are probably able to retrieve the current pfSense config from your build in drive, before it get totally partitioned.

@ncted I've used pfSense in this capacity before but it was quite some time ago. If I recall correctly I setup pfSense in a filtering/router capacity by disabling outbound NAT rules and setting up static routes on my upstream (internal network) firewall/router so my production LAN would have routes to the pfSense LAN side hosts network via the pfSense WAN interface. I believe I also set my internal upstream router as the pfSense WAN interface default gateway. Also keep in mind that if you disable outbound NAT your pfSense LAN side must not overlap any of your normal production LANs.

Hope that helps.

We found a work-around. We had tried doing DNS verification but it kept failing. It turns out that Certify the web had created a DNS entry but then just left it there. So when it came back to renew it was creating a new entry but reading the old one. We deleted all their DNS entries (37 of them) and it passed. So we won't need to do the http verification which means we don't need it to find it's way past pfSense.

While this doesn't solve the pfSense question, it does solve our problem so I'm going to move on. Thanks for the help.