@bitperfect I run Pihole on a tiny VM ahead of pfB. Clents look to the Pi, Pi looks to pfB/Resolver. With the blocklists I have enabled there, this is blocked, plus whatever else pfB does. It's amazing everything still works! [image: 1728837988390-3689b380-29fb-4a5b-aa79-ef8a10f586a0-image.png]

@eeebbune While you might of had some sort of state table issue.. But there is no way the source IP of traffic into interface is going to be its own address.. When your trying to talk to it from device on that network. Glad you got it sorted, but that rule you posted of mgmt address with desc allow to reach internet makes zero sense..

@Gertjan which is exactly my point ;) Yeah stated as such have no IPS, proxy, or squid running,

@phoenixfsense I know it's been a while but I'm experiencing the same issue. I was wondering if you were ever able to resolve the issue and what you did? Thanks.

@Shuldyk-Andrii said in Aliases don't give ips: I've tried to add 40 000 you pfsense to resolve 40k fqdn to their IP(s).. Yeah that seems unlikely to be a good idea..

Squid Proxy uses ClamAV but it is for the traffic flows and for the web cache, to use it correctly you have to have it configured in SSL intercept mode. It is a resource hog, it works well but for someone who uses 4GB ram you need a swap partition as running Clam AV, Snort, Squid etc consume memory. I use it and yes occasionally it will stop something. But you have to know it’s only because I utilize web caching. I over analyze everything and make reports for weird stuff. Yes it is a lot of work to configure correctly, but if it’s done right it is amazing to see in action. Back to your question, I can only run Clam and it only scans web traffic and web cache partitions. The is separate from the firewall, the firewall itself had no ability to download anything unless an invasive container got into the web cache, again I have download limits of what it can keep for size ratios. So only for example Windows can have a higher ratio to hold updates for my accelerator use. Yes it does content acceleration with dynamic updates, again you need to configure it so only some trusted sites can hold 5GB updates, the rest should have very small limits. It’s a balance right everything is. The question I would ask is what do you want done. If it is just scan the firewall and you don’t use a web cache, or IPS there really is nothing downloading outside of Netgate updates. Again never say it’s invincible, it’s more like a timed lock of how much effort and time is required to get past the firewall. Don’t ever think stuff is 100 percent secure, nothing is you can go find metasploits all day for vulnerabilities, it’s more how long can it be secure in my eyes. What can I do to make it a more complex puzzle for an attacker.

@johnpoz Thank you for pointing me in the right direction. It never occurred to me that setting the default gateway to "None" last year was the reason why I could not update pfsense. Now that the default gateway value was returned, the dashboard "System Information" > "Version" is now showing the available version update. I will try again to update pfsense this December. I will also try to see if the two NTP entries I added to Firewall > Rules > LAN are no longer needed. I added them this year because the access points suddenly could not connect to NTP [image: 1728364544140-74ac315b-7ed3-4da4-a984-578f1d7b5a09-image.png]

@flexibleapps VNC over SSH is more accurately VNC through SSH. So you'd just need NAT and WAN firewall rules forwarding and allowing port 22 (or whatever port(s) you use for your SSH connections; you'll need 2 ports if you're doing this with 2 LAN hosts). But since you already created port forward and firewall rules for VNC, it sounds like you basically already know what to do. Just need to (for example) forward port 2222 to LAN host 1 port 22 and forward port 2223 to LAN host 2 port 22, make corresponding firewall rules allowing those inbound connections on WAN, and then configure VNC accordingly.

Hi, @viragomann, thanx for your suggestion. I didn't answer earlier because just today I had access again to the firewall. I did a few tests with some rules in every interface group and I could verify that interface groups are sorted alphabetically by name and rules are applied in that order. This may have a subtle (and possibly dangerous) side effect if you rename an interface group after rules in that and other groups exist: Suppose you have group name GROUP1 with RULE1 in it, and group name GROUP2 with RULE2 in it. Once you apply the rules, RULE1 applies before RULE2. If later on, you rename GROUP2 and call it GROUP0 without further changes, rules stay as they are. BUT if you later on create, modify or delete a rule (maybe unrelated to either group), once you reapply the rules, RULE2 will be applied before RULE1 (which might have security or functional consequences).

@patrickdickey52761 No way, when keeping this set up. You would have to separate the wifi router from the LAN to control its traffic on pfSense. In your current set up, traffic from the wifi devices passes the router, which has the other leg in the LAN network. Traffic destined to any LAN device will go directly from the router to the destination device, but not pass pfSense. Hence pfSense cannot do anything to block it. So yeah, a VLAN between pfSense and the wifi router could be a way to separate the network. Then you can allow upstream traffic on this interface and block anything else. However, consider to allow also access to DNS port if pfSense is your server.

@bobcodes Voy a responder a este hilo debido a que como yo, muchos llegamos aqui buscando una respuesta. Espero les sirva. Instalen el paquete cron de pfsense, este mostrara la lista de los cron activos. entre ellos esta el que ejecuta: /usr/bin/nice -n20 /etc/rc.update_urltables a las 12:30 todos los dias. (en mi caso) Si deseas que se ejecute en otros tiempos mas frecuentes, debido a como mencionan no encontraron la manera de hacer la ejecución mas continua. Para no modificar mucho. Solo modifica el cron y agrega el now forceupdate y cambiarlo a cada minuto. */usr/bin/nice -n20 /etc/rc.update_urltables now forceupdate o cada 5min */5 * * * * /usr/bin/nice -n20 /etc/rc.update_urltables now forceupdate Espero sirva para proximos visitantes.

I can ping LAN ip 10.99.99.1 from all devices if they dont have this ip as gateway. If I create a VM and give 10.99.99.1 cannot ping it. If i give other ip as gateway, i can ping 10.99.99.1

@armagan153 Yes, you can block whatever you want. But first, you have to know what 'traffic' is and how you can operate on it with a firewall, like pfSense, or any other firewall out there. Know filter items are : source and destination IP, source and destination port, protocol used, and some less know items. To fully understand what a firewall can use to make decisions to "block or pass", you have to know what a Ethernet packet is. Example : you can use "IP addresses" only, as a firewall operates on the Ethernet packets. On that level, hos names is an unknown concept. A web browser uses its device IP to connect to a server IP. @armagan153 said in Block all traffic except for certain websites.: allow only access to Facebook Alow or block only facebook (as an example) This question is actually posed very often here on this forum. I agree, a bit hard to find You have to use the search button - see the top of this page - enter 'facebook.com' and hit search. You will find many pages that contain the word (url) 'facebook,com', and you have to read through them one by one. Guaranteed to you find rather quickly something or some one that asked the very same question as you. Now, take one step back. I've a question for you to answer. What would you do if you worked for facebook ? What would you do so every potential customer can easily access the facebook (whatsapp) etc services every where on the planet ? Wouldn't you do everything in your (xxxxx billion dollar) power to make this happen ? I'll repeat your question : you want to block someone like facebook, as an example. The fastest solution would be : go work for them for a will as a network engineer, and you'll learn all about their network, and then you will know what to do. You can't block facebook by putting facebook.com in an pfSense Alias (the alias gets resolved into all IP addresses every 5 minutes), and use the alias (== all the resolved IP addresses) in a firewall rule. You'll discover that these IP address change all the time !! Quiet understandable, as Facebook takes servers down, for maintenance or whatever, and activates other ones constantly. Google, Apple, X, Microsoft, etc etc are all doing the same thing. I'm not trying to tell you that blocking 'whatever' it isn't possible. It is. For example, Facebook own (uses) its own AS (go wikipedia that one). With the help of pfBlockerng you can select this AS, and it will download the list with IP networks that it contains, and voila, you'll see : you can't access any facebook services anymore.

@Airone-0 The rule is to make sure a admin doesn't lock themselves out of the firewall.. But you can for sure as @Gertjan mentioned create your own allow rules to access pfsense gui and or ssh from some other network/vlan And then if you so desire disable that built in lock out rule on the lan interface..

@Gertjan You're absolutely right. Yes, I do have a Maxmind account. I set it up a while ago and I believe just left it at defaults. I will change the frequency. Thanks for catching this. Maybe this is the issue -- they're throttling access since it's not updated very often.