Maybe DoH? Check the browser settings, try blocking dns.google

Were you asking a question???

what is all the noise to the 6443 port, that is not answering? But you can see that your ssh got an answer.. Maybe it was a RST? Open up the capture in wireshark or something or turn up the verbosity of your capture. 12:10:46.733465 IP 10.0.2.2.2134 > 10.0.1.2.22: tcp 0 12:10:46.733749 IP 10.0.1.2.22 > 10.0.2.2.2134: tcp 0 Also the term vlan is interchangeable with network segment.. Be it tagged or not, the term vlan is common to use to talk about a different network.

SOLVED - I figured out my problem. It was caused by this setting below (Static ARP under the DHCP Server configuration for the interface), which I had enabled on the interface because I interpreted it incorrectly. It essentially took precedence over any and all allow rules configured for the OPT2 interface, and prevented any host without a statically assigned DHCP address from communicating with the interface even though the host received the dynamic DHCP assignment from the OPT2 interface. I hope this saves other folks time and headache. [image: 1573105135994-screen-shot-2019-11-06-at-9.46.34-pm.png] As explained in docs.netgate[.]com[image: 1573105210701-screen-shot-2019-11-06-at-10.40.04-pm.png]

Well that is just a modem, it doesn't do any nat.. So if the ports not getting to you - it was done at the ISP level - which again is something they are quite able to do.. If you sniffed and the ports didn't get to pfsense - then no pfsense could not forward them.

Post your rules!! They are evaluated top down, first rule to trigger wins, no other rules are evaluated. Keep in mind that even when you add a new block rule that would block, if you have any existing states for that traffic - they would still be allowed.. You have to flush any existing states that would be allowing the traffic you are wanting to block. And the source wouldn't be any, it would be the source network - any works, but its not as clean looking.

n_ipv4_sftp is an alias to my SFTP server IPv4 IP address in the DMZ. [image: 1573035094092-screenshot-2019-11-06-at-10.08.48.png] [image: 1573035100126-screenshot-2019-11-06-at-10.10.43.png]

So glad to see this thread. I also have a dual WAN setup and I needed to prioritize the ICMP for WAN monitoring just like you did. It simply wont work reliably the other way around as once there is some congestion the traffic jumps over to the backup link which then kills it and makes for a real mess. Thanks.

@JKnott Correct, it starts with fe80.

@johnpoz yes, from now on i will keep in mind this :-)

I would also ask where you are testing from. If it is anywhere from behind your own LAN then you will fool yourself. These kinds of tests must be done from the WAN side.

@Rico I think I have actually done that on the VPN server side by adding the WAN interface of the client, to the rule on the server side. Basically saying only allow traffic from this WAN interface to access the server WAN across port 1200. Its the OpenVPN rule, from client to server that isn't doing anything. The ALLOW ALL rule, on the OpenVPN tab is doing everything.

@Gertjan said in No route to internet from second lan: LAN ? OPT1 ? Both ? Yes. This is my opt2 setup: [image: 1572622289762-opt2.jpg] How did you set it up ? firewall rule: [image: 1572622343798-fire.jpg] EDIT: The problem was NAT related, i was on : Manual Outbound NAT rule generation and I didn't add rules.

It partially solves the problem, but what about an alias with hostnames instead of IPs?

Make sure you clear your states (Diagnostics - States) after creating block rules. Existing states are not affected by new rules. If you access via Edge and it works and then you make your block rule, Edge will continue to work while new sessions (eg Chrome) will fail. Also, I want to ask how do I block sites for specific group of IP addresses and put all those sites as an alias. It's pretty much exactly as it sounds. You create an IP alias. Add your hosts to it. Create a firewall rule that blocks traffic with your alias as the Destination. https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html https://doc.pfsense.org/index.php/Firewall_Rule_Basics https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

That is on a interface called wlan, so going to go out on a limb and guess that is a wireless client ;) Wireless clients, Cell phones and the like are notorious for using long dead sessions. Or having moved from one connection to another and not reopening a connection. Or it could of been client sent the Fin and never got the fin,ack back and what your seeing are the retrans of those that are blocked becuase the firewall already closed the state.. Unless you are being bombed by these, and wireless I wouldn't worry to much about them - but you might want to look into deeper if you are having any sort of issues on your wifi connection, etc.

Help with what the pesky flies? Block them if they are doing a non flooding syn/state attack.. We have all been seeing an uptick in such traffic - see my pesky fly thread ;) Where you run into problems is if volumetric type attack - nothing you can do about that but get with your upstream provider. It has nothing to do with pfsense.. I show that 47.74 56 guy is from japan.. Do you need to allow connections from JP? If not block the whole freaking country ;)

There is also a filter function available at System Logs > Firewall. Packets with such TCP flags are only logged if pfSense has no state for it in its state table. So may already it has already deletet the connection. If there is no problem on the LAN devices with that like slow site reloading you may ignore that. The device will open a new connection. Otherwise it could also indicate an asymmetric routing. The connection timeout is affected by "Firewall Optimization Options" in System > Advanced > Firewall & NAT. It is also possible to configure individual timeouts for different packet types at this page.