@Tom-Lee The arp cache will only list the devices that have recently sent packets to the firewall. After a while those devices will be removed from the list, unless more packets are received.

There are ways to do this by sending logs to a remote syslog server and using third-party tools to scan the firewall log entries. However, be forewarned this will get very old to you very fast (getting alerts/emails for every unwanted firewall access attempt). A normal firewall will see dozens to maybe a few hundred connection attempts per day on the WAN side. Even if you limit the alerts to just a handful of ports, you will soon grow very tired of your email app "dinging" with new mail messages ... . I say this in a nice way, "you must be new to firewall administration"... . This is usually the first thing a newly minted firewall administrator thinks he wants until he has it, then he quickly turns it off.

@P-J said in pfSense firewall log analysis help request: On the eve of year 2020, I wish everyone a Happy New Year. On the topic of this thread, I found out that it is the Netgate SG-3100 itself that communicate to that IP address from time to time. The address is Facebook owned, registered in Ireland but hosted somewhere on the East Coast of the USA. I don't know what process is trying to 'talk' to Facebook - I don't use it - but this is very suspicious. I did a factory reset of the device and loaded back the last backup and still I see that connection being made. Will try to reinstall pfsense from USBkey and see if that is continuing to happen. Is this a somekind of keep-alive built-in the device that tries to 'phone-home' ? No, pfSense does not "phone home" or attempt to keep tabs on you. The only traffic that pfSense would initiate is the check for a firmware update each time you load the home page. That check is done once when that page loads. It could very well be that the IP address you see as belonging to Facebook is (1) no longer really Facebook and the ARIN lookup is outdated; or (2) the IP is within a block owned and registered to Facebook but leased out or used by other services. It might also be reverse pointer lookups to get a domain from some installed package on the firewall. Snort does not do DNS lookups unless you click the icon, but I think a few other packages will do DNS lookups to convert IP addresses in logs to their host names when possible. The short answer is I doubt you have anything malicious going on. If it bothers you, though, simply block the traffic and then see what breaks.

@Kavatch The Layer 7 is the Application Layer to which your services 'talk' to. If you want to check stuff at that layer, your services should do it. Normally, if you want to inspect the content of a packet or segment, you do it at Layer 3 or 4. IDS and IPS will let you check the content of packets or segment, as well as a proxy filtering mechanism. Then upon packet inspection (what are you looking for?) you can take action.

Yeah that is going to be asymmetrical and all kinds of problems.. You should connect your other firewall/router via a transit network as the correct solution to your pfsense. Or you would have to host route on your box in the lan your doing the rdp to/from.

A question back : @tomaszf said in Block access to LAN, allow access to Internet only: It is possible? This : [image: 1577750414755-3326edbc-06d6-43b3-a265-049fd33f8d3a-image.png] (sorry, French Windows version - not my fault) has been there since Windows Vista .... and you still didn't get it ? (I'm sure Apple asks the same question on initial connect) Look up what it means and why Windows is asking that question when you connect to a new network **, if you want it to be a private, public or company network ? The answer is very related to your question. The thing is : the user of the device can choose what he want to "see" on your LAN. You, on the other side, as the admin of that LAN network, can only enforce non inter client connection by using smart switches, separate networks (LAN's or VLAN) or some tricks with ebtables ( a cousin of iptables ) that exists in some AP's. ** and how does it know that it's a "new network" ? ;)

@johnpoz Excellent advice as well. In this case I am going to go really tight and loosen as needed. In fact there may be a version of this for children that further restricts access using a white list of allowed sites. I am also planning VLANs for IOT devices which will allow some interaction with each other and with local networks. The primary goal will be to limit the attack surface available to anyone who might gain control of the device (miscreant vendor or hijacker). The above suggestions will be great starting points for that scenario. In any event, it's good to know that the general approach is sound. That's what I really needed.

@Konstanti said in FW Alias externally managed: @taliwok Hello Unfortunately, you can't avoid deleting the table when you reload the rules. At the moment of reload, the firewall stops for a while and restarts again. It must be possible using persistent tables, or any tables that PFSense does not reset (it does reset all that is defined in Firewall->Aliases). For example - if I define an Alias that is URL Table (it’s persistent) - and add some entries to the table/alias manually with pfctl, reloading the filters does not cause the table/alias to become empty. You can write a script (using pfctl) that will save the table contents to a file and restore the table after reloading the rules. Is there a script that PFSense automatically executed after reloading the rules, that I can modify? Or write a utility using the IOCTL interface PF, which will also save and restore the contents of the table. https://www.freebsd.org/cgi/man.cgi?query=pf&apropos=0&sektion=4&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html DIOCRGETADDRS - to get all the addresses of a table. DIOCRADDADDRS - to add one or more addresses to a table Thanks but this is way more complicated than I intended - i hope there are simpler solutions. For example I saw OPNSense have an Alias type called “External” which sounds just like what I’m looking for. https://docs.opnsense.org/manual/aliases.html I wonder if there’s a simple way to achieve the same result in PFSense.

@jpalmeri12 said in New to pfsense: trying to set up web server: but I still cannot load websites from the desktop. Well if your trying to use the public IP, and your inside your own network then you would have to enable nat reflection. Or better choice just have whatever fqdn your using resolve to the local IP on your local dns.

@Gertjan thanks, I've found out I had an old rule that I hadn't removed. Thanks again and Merry Christmas

Golden rule : Never ever mix trusted and non trusted devices on a same network segment. That's why 'real' routers and firewalls have multiple NIC's, so you can define 'LAN' type multiple networks.

@demux said in Floating rules are processed before interface group rules and interface rules??: I would like to block private IP traffic to outside If you can connect to your WAN-connected cable modem using it's RFC 1918 IP address then that traffic will end at the modem. It can not be routed elsewhere.

No need tu put it off, because The style of routing described on that link won't work since pfSense doesn't enable the options for multiple routing tables So, what isn't implemented can't be switched off - neither on.

@johnpoz Ugh! Thank you! I feel like an idiot! My outbound allow rules were on top, I guess I figured pfSense was going to snag that as not heading for outbound, but now that I think about it, perfect sense!

@Gertjan All works now :) ! Thanks men !

@ptt Thanks for your help, it's working and was because there was a gateway in the lan ! Thank you very much !