If you want the VMs to bypass pfSense then you would have to do that at L2 -- put them on the WAN segment. There is no way to have them connected through pfSense but also be excluded from passing through pfSense. You could pass all their traffic and disable NAT for them (Assuming you have routable addresses for the VMs) but they'd still be passing through pfSense and subject to things like state tracking. You need to describe your use case in a lot more detail, perhaps with a diagram, to determine if what you're asking is possible.

It's a limitation of GRE state tracking in pf. It will never be solved. PPTP is dead. If someone "needs" PPTP, they "need" educating on why it's a bad idea, and how it should have been changed 10+ years ago.

What do you ultimately expect to gain by such a setup other than a continual headache trying to figure out why app "X" suddenly quit working or never worked from its installation? With a home network, just block unsolicited inbound connections and you are 90% or more of the way towards "secure". Trying to control outbound can be a real headache because no apps do a good job of documenting what ports they use to connect with or connect to. If you have IoT devices you are concerned with, just put them on a VLAN by themselves and don't give that VLAN any access into your regular LAN or other sensitive VLANs except as stateful replies (meaning something in the secure VLAN or LAN started the conversation with a walled-off IoT device).

Anyone? Can anyone at least confirm that this should be working, despite the fact that it very much isn't working? Very much appreciate anything that can help point me in the right direction here. Everything I've found online suggests it should be working but I haven't found anything conclusive.

This is what I did: First I took the current bogon list from the pfSense in the CLI with pfctl -t bogons -T show Then I changed to the web interface and created a Firewall Alias IP named handmade_bogon_list with just the first network. Back in the CLI I called viconfig and added the remaining networks from the list. This is faster for me than pasting it in the webinterface. Now I could add a blocking rule using handmade_bogon_list in the source that logs. In front of this rule I've put a special blocking rule for port 8116/udp that doesn't log. At last I unchecked the box for blocking bogons at Interfaces > WAN > Reserved Networks to make this work. This setup already showed me that there is a DHCP client in that network that needs to be tracked down. Thanks for all your input.

I am also wondering about the same thing. If you found a fix then please do let me know. thanks in advance :)

@pf2040 said in pfsense firewall source code path: https://github.com/pfsene https://github.com/pfsense/pfsense git clone you need freebsd os script to build build/scripts not easy, not worth. If you have to ask, you’ll never know. If you know, you need only ask

As you can read in the Ticket mentioned above it is not resolved in _p3 but tested for 2.4.5 so either you can install the Release Candidate for 2.4.5 or wait for the release. Otherwise you could use the method near the end of the topic to patch the filterdns part.

Hi "isolatedvirus" and thx a lot ! It makes sense. I configured [transparent mode] in order to avoid the configuration at every client side (Win or Linux) => no need to import PfSense selfsigned certificate and the SSL flow is not "broken" at the proxy level. If I understood, the solution would be to force the outbound web trafic going through Squid-proxy first and redirect it to the firewall after... both firewall and proxy applications should be "called" but I don't think that's possible... Regarding HTTP/S trafic flow, either I keep Squid in service (FW = useless) or I forgive Squid (and its proxy-cache for perf). On the other hand, a proxy is really usefull in a company IT network but at home...

@uxm Anyone?... This is my log of Internet Connection Drops (not LAN!) : [image: 1580373329909-6a6e837b-47d8-443e-98de-c7e0d6abf2d0-image.png]

Thank you for this, however my company only needs internal data control given the internet environment. It's nice that pfsense can do this. i'm from vietnam - 0919679920

Here is a ping to my FQDN from pfSense using IPv4 [image: 1580265847033-654e556d-0edb-4aa6-8219-2787897ba8e7-image.png] Same FQDN using IPv6 [image: 1580265957101-c0b773f2-521c-47e8-b268-9f4120ef775f-image.png]

I'd think you you want to use port 587 instead of 25.

Do you mind sharing the firewall rules you got to work? I’m in a similar situation.