Thank you all very much for your help. I rebooted the firewall and until now (uptime 20h) the aliases are working as expected.

I resolve the issue with BIG HELP from Infecticide!!!! I did call my ISP and they told me they saw timeout on the gateway. I plug the modem directly in pfsense and I had no timeout. So it is the gateway. By repluging everything, it worked. Thanks

@akuma1x Cheers for getting back to me and sorry about the delay in reply. It turns out it was nordvpn in the background. I had it set to "NOT" auto-start with windows, which it wasn't and there was no icon in the app tray but when I went into task manager there was some part of it that was running in the background blocking all Lan traffic but not wan traffic. Really weird, and hard to diagnose! I turned on nord's auto-start with windows feature and turned it off again, rebooted and everything was back on. Really annoying, not happy with Nord.

It's a bit tricky at first but just think about the pfSense Box as some sort of blackbox with lines going into it. WAN being one, LAN being another. Filtering is done "inbound" so whereever a packet "touches" the blackbox first, that's where you should filter it (pass/block etc.) :)

Yes, is from Virtual IP - 192.168.10.7/24 is an IP alias - the pfsense router has replaced two single wan routers - 192.168.10.2/24 and 192.168.10.7/24 some years ago. I tested on an pfsense VM and replicated the double allow rule. Thanks for help, good to know that pfsense is reliable and is a user error.

Thanks for the info.

Nice :) I'll have a look at that, since it's probably better than the pfctl approach, performance-wise ..

Snort has the capability for creating a Pass List (on the PASS LISTS tab). You can create a list and include an alias. You would define that alias within pfSense under FIREWALL > ALIASES. Once you have your custom Pass List created, go to the Snort interface's settings edit tab and select your custom Pass List by name in the Pass List drop-down selector on that tab. You can also use Snort's IP Reputation tab to import a plaintext file of IP addresses or networks (using the standard Snort syntax) and assign those to an IP REP whitelist. Any IP address or network defined on that list will then bypass Snort inspection completely.

Thanks for the info, I was under the impression that it was not the case.

FYI, I was able to get this to work by disabling my DNS Resolver and enabling the DNS Forwarder service instead. I didn't need to add any additional Firewall rules or NAT/PAT rules since all of the connections are initiated outbound. I don't have a good idea what about the DNS Resolver the Ring was incompatible with, but wanted to put this out there so if others want, they can track down the cause.

Something like this:- [image: 1573813807706-screenshot-2019-11-15-at-10.28.31.png]

Thanks Jimp. Indeed this also does the job but there seems to be a place for both solutions depending on the situation. Much appreciated!

@johnpoz I denote a certain polemical vein

I had to: Delete site to site vpn configuration on both pfSense AND the remote device. Even though both were disabled. Delete all Nat rules and set it back to auto on pfSense. Reboot. For Windows there is a registry update you may need to do but I can’t remember what it was, sorry.

Dude you seem to be just over your head is all... As derelict stated those are outbound.. Your seeing your own connection to the site your using to test canyouseeme.org [52.202.215.126] with would be my guess. That port for the 52 address is 443, that is the dest port of your test.. Yeah when you GO to that site you will see traffic to that site on the port you go too, ie https would be 443.. Then you have a 10 address.. Which your hiding? Why??? Its rfc1918 address..

There is no API for this (yet), though there is the easyrule script which may not help directly, but you could copy its code to potentially setup something. Having an IDS inject rules is a fine idea in general, though. We have demonstrated this working in TNSR using its API combined with ERSPAN to feed packets to the IDS: https://github.com/Netgate/TNSR_IDS/