Well there is no stopping stupid ;)

@koko_adams said in Block only google drive upload: I would block upload file to cloud provider sush as Dropbox, Google Drive, etc You want to block upload and not download??? I doubt that would be possible with a firewall, as you'd have to filter the traffic in an encrypted https stream. You might be able to get a proxy to do that, but not a plain firewall.

Thank you for your response. I'm familiar with setting time-outs manually thru the GUI. Looking thru the man page for pfctl, I didn't see any way to set the time-outs either.

https://1.1.1.1/help is helpful. i´ve set server:local-zone: "use-application-dns.net" static in resolver also "DNSOverHTTPS": {"Enabled": false} in distribution/policies.json - just saying chrome needs trr parameter documented just like firefox did. do you think DoH should be the future standard ? what is the purpose of dnscrypt-proxy ?

@Derelict said in 5 year old Scheduler Bug? Not dropping states but is this by design? hmm: Because states are killed when the schedule on the rule that created the states expires. If the rule that creates the unlimited state has no schedule that state will never be automatically killed even during the limited schedule period. Restricted rule Schedule starts - this applies limits to the existing states No, it doesn't. Whatever you saw wasn't that. It applies the limits to the states it creates. I have given you exactly what you need for the behavior you seek. Thanks again for the help and response, my question was so that i could better understand how this feature works, which i now do. Its working fine now following your steps :)

@lvl1k0n said in New user. Need help with firewall logs: What is triggering this traffic to be blocked and why is it on the LAN interface? Your firewall settings ^^ On the LAN interface, the final, hidden last rule is always a "block all". This one logs by default, and because you can't edit it, you'll see all these logs. But ... you don't mind ^^ When you installed pfSense, a default visible - and editable - rule (probably 2 of them, the default anto-lock out rule will be there also) is created for you. As a gift. This one doesn't log. It's a pass all rule that doesn't log. So any device on LAN can access the entire world. The WAN interface is delivered with no visible rules - but again, a default hidden rule exists - and this one logs also. When you connect a router / firewall to the Internet, you be part of the Internet. If you didn't know it already : on the Internet, millions of devices are "probing" about any IP possible, so also yours. How to shut down the noise ? Remove the check on this one : Status > System Logs > Settings : [image: 1575037994305-107c54f3-ff0f-408e-b548-a197c0cca0e5-image.png] You probably edited / removed / added rules on your LAN interface. That's why the LAN interface also produces logs now. It works like this : your won rules are logging > so all goes as planned. Or : your firewall rules on LAN do not match every Internet packet so it will be parsed finally by the default rule => you'll be seeing a log for each hit (match). Do what has been said above, or modify your own rules (block devices and don't log).

Thanks dear for your kind reply :)

@JeGr Ahhh man...your explanations are pure GOLD! Plain and simple! @JeGr said in Policy routing DNS requests: Otherwise the "Reject RFC1918" wouldn't hit DNS calls to say 1.1.1.1 or 8.8.8.8. Yeah, of course! Silly me... lol @JeGr said in Policy routing DNS requests: UNLESS you use special NordVPN DNS servers and they don't support DoT Got it! Apparently NordVPN misunderstood me or something...assumed I'm using their DNS servers. @JeGr said in Policy routing DNS requests: Do you want DNS to be resolved locally? Edit: Not sure what you meant here but All users will be using their own gateway/interface address as DNS. @JeGr said in Policy routing DNS requests: Have a look at Diagnostics / Routes and look in your routing table. Do 1.1.1.1 or 1.0.0.1 happen to be there? The pfSense I'm working on right now, is not connected to anything yet (except a "lab PC") so no WAN or Internet access. It's currently offline and I don't see any 1.1.1.1 or 1.0.0.1 in the IPv4 routing table. Since it's offline I don't know if that's relevant...you tell me. @JeGr said in Policy routing DNS requests: That's only used for pfSense internal services or e.g. package updates Ok...so, what would you say is the "best practice" so to speak? @JeGr

@Derelict said in An isolated interface with an access to the internet via an OpenVPN: I would change that block rule to a reject rule so clients get feedback instead of just hanging if they attempt to connect to an RFC1918 address. I would make a rule right above or below that that rejects traffic to destination This firewall (self). That part? Ok...but I want to fully understand why we do what we do. If the gateway is a VPN and under the VPN settings I use its IP and not url/name, why to allow DNS/NTP to that VLAN? Because otherwise all the DNS requests on that VLAN will be blocked by the RFC1918 before even getting to the VPN tunnel? By the logic of "first rule wins" seems to me that allowing DNS above the other rules will send it not through the VPN tunnel...or maybe I've just misunderstood it all haha, idk already... Is rejecting "This firewall (self)" meant for restricting the users of this VLAN from accessing the pfSense box? My OpenVPN client is running on the firewall. So...How do I force ALL (and also only for certain interfaces/users) DNS requests to go through the VPN, without setting the VPN as the only Outgoing Network Interfaces, like NordVPN suggets, which will of course prevent the VPN from reconnecting after a failure/shut down etc. and thus will need a human intervention... I would also like to Redirect all DNS Requests to pfSense like mentioned in the DOCs...It's a good practice, right? Thank you,

after 9 hours of work you should understand that my brain is telling me bs now you are right i make a mistake, i was not seeing the tab and i was confused but you probably need a new rule that permit traffic from PCS_VLAN net with destinaton OpenVPN net before the block but right now, i confess i'm tired, maybe try and tell us if it work or not

Thank for the reply! I would try that and get back to you Thanks!

Yeah, its still working, about 23 hours so far stable. Still can't really explain why it happened. I didn't make any changes that would necessitate an MTU change. I was making acl changes on a machine farther into the network when it started happening.

most software that checks license checks by domain etc. not IP as those can change. Not exactly sure what yours do, but checking the IP is ... a bit dumb. If it checks the domain, it's easy, just use the domain/hostname on your linux machine and put it in /etc/hosts -> et voila no more back&forth with the firewall but nginx talking with itself. We have such stuff with hosting and NATting every day. And most licensing things we encounter are matched via the domain/URL and can be avoided that way. So just use the domain the software runs on in its configuration and also put it in the /etc/hosts if that works.

thx, @jimp i tried waiting for hours, even days. i found about this by making config changes on friday, then just checked the fw rules are in place, but didn't actually test. then, on monday, users complained about network apps not working. turned out it started to work once I removed the hostname from the alias, saved/applied, and then added the same value back again.

@ikifar I don't think so. That being said ... I got back to troubleshooting today. Test system, configured as above (fresh install yesterday of 2.4.4p3 then my config restores, then up to yesterday's daily) It continues to function as it was yesterday Primary system, configured as above (fresh install yesterday of yesterday's daily, vanilla config (not even walk through setup wizard yet) It now works, a direct contrast to yesterday! and I notice my ISP assigned me a new IP (to same physical nic with same non-spoofed mac) It looks like my ISP is in fact the problem here. and for some reason, they assigned me a new IP and the issue is gone. if they found an issue and fixed it, or if I just got a different IP because of the luck of the draw I have no idea. My ISP is the phone company around here (Telus) and there is zero chance I will be able to talk to someone who has knowledge at this level. This can be considered closed.

Thank you for the reply I used to management setting log to blocked connection, so I can see: a) which IP is trying to connect to my IPcam. b) which IPcam is actively trying to connect to those manufacturer's servers around the world. I want to do that again but just can't make it after all of my trials ... I want to know if those "creepy automatic connections" still exist ... That's what I want, to isolate all device in this house which I can only access by OpenVPN (OpenVPN+IpCamViewerPro)

Good day Heper, Thank you for your response, it is much appreciated. Please note that I managed to resolve the issue when disabling DNS Resolver and enabling DNS Forwarder. However the PFSense machine, updated yesterday at 11:44 and the Lan slowness issue came back.

Now, i've running all of these but now i've a problem with the DNS servers (leaking) When i connect to the SSID2 (that have the VPN IP) all my DNS goes via my ISP. When i connect to the SSID1 (that i have ISP normal connection) all my DNS goes via my ISP too. I've tried to configure in System -> General 2 DNS's servers and in one of these, in Gateway i choose the VPN connection, but anyway still goes through the ISP DNS (and still show me DNS Leaks). If i go to Services --> DNS Resolver --> and in Outgoing Network Interfaces i select only the VPN interface (named VPN) i've get working in my SSID2 (VPN network) the DNS of my VPN Provider, but the problem is that i got the same DNS server for my SSID1 (ISP DNS) so there is no working fine. What are doing wrong? I'm burning all my papers. To resume, i want in SSID1 (use ISP DNS) and in SSID2 (use VPN DNS) Now i get running in SSID1 (ISP IP) and in SSID2 (VPN IP) It's possible? Thanks in advance.