@JKnott I must be confusing with the details I added. The single website issue (in the title) is explained and can be considered closed. I can't find anyone else that is having this issue, and I know several with the same ISP/service, but given it fails when I bypass pfsense, it is clearly not a pfsense issue. thus I closed the thread. I still see a variety of outbound blocked packets that I can't explain. It made more sense to me to open a separate thread to avoid similar confusion.

As I stated your other thread - without you actually posting your rules.. What you said you did and what was happening doesn't mean anything.. For all we know you put the rules below your any.. So no shit they wouldn't ever trigger. But putting them in floating would, etc. If you need help with rules you need to post a screen shot of the actual rules on the interface. Users always say they did X, when it comes down to it they did Y.

FYI...i got it back up and running. Wasn't hardware...i was adding on Virtual IPs and made a mistake...deleted one of the IPs while in a rush. Double-checked and just added it back in....back online!!

@cristiann said in Delay in connecting to specific site: Thanks. I disabled pfBlocker and the issue is resolved pfSense troubleshooting 101 ... . Anytime you have connectivity issues with a pfSense installation and you have any packages installed, disable all the packages first and then see if the problem disappears. Odds are it will. After that, you know the core pfSense setup is fine. So then start enabling the packages one-by-one to see which one is the cause of the issue. Suricata, Snort, Squid and pfBlocker can all be potential problem makers. Suricata, Snort and pfBlocker rely on third-party inputs (rules for Suricata and Snort) and IP lists (for pfBlocker), and any of those third party tooks can have bad data in them that cause false positives.

Sure. If you have separate interfaces on your pfsense box, that’s one way. This guy makes several videos about pfsense and how to config and use it. He's got a session on multiple networks using separate interfaces on the same box. https://www.youtube.com/watch?v=9kSZ1oM-4ZM If you have a managed switch, and have some knowledge on it, or are good at google’ing instructions and guides, you can setup VLANs on your pfsense box and switch. If you have a capable managed switch, you can setup port isolation on said switch. Manufacturers tend to call this setup different things, so you might have to dig for some instructions again. Hope that helps! Jeff

iperf is available but not sure its speed report is generated

I dont use wireshark, not really a fan of it and dont know how to use it. The ip addresses are in my paste. "fe80::1:1 > fe80::66a2:f9ff:fe4c:f44c:" and "beyond scope 2a03:2880:f221:c4:face:b00c:0:43fe, source address fe80::66a2:f9ff:fe4c:f44c" Basically pfsense sent a icmp unreachable back to the android device rejecting the request. I did use the android link local address as the filter in packet capture.

@kiokoman Poor Leonardo. Unappreciated in his own time.

Just let us know if you have any questions - happy to help

Yes rules are evaluated as traffic enters the interface from the network the interface is connect too. They are evaluated top down, first rule to trigger wins, no other rules are evaluated. If you don't want lan to go to vlan1 Then above your any any rule, put a block above that blocks source lan net dest vlan1 net Duplicated this for any traffic you don't want to allow... Simple way to do it if you don't want vlans to talk to each other is just create an alias with all the rfc1918 space in them, and put that above you any any rule that allows internet.. Here is a typical setup to allow a vlan to talk to internet and pfsense for services but not any other vlans on your network. [image: 1571671695633-typicalblock.png] So my test vlan/network can ping pfsense test IP, can ask it for dns, can ask it for ntp.. Then all other access to firewall IPs is blocked (this prevents say hitting the web gui via your wan IP from this network) Then block access to any rfc1918 space (your other vlans) Last rule allows access to anything else... This basic sort of setup would allow a vlan/network to access services off pfsense (ping for connectivity check).. But block all other access other than internet - adjust as you want to allow this vlan to talk to your other vlans - putting those rules above your block to other vlans. This assumes your other vlans are using rfc1918 space.. You could just block access to pfsense wan address to prevent access to say your public IP for web gui... But easier to just use the built in this firewall alias that is any IP that pfsense might have. I like to use rejects on local side rules, no reason for the client to just retrans trying to get somewhere you are blocking - might as well just let them know right away they are not getting there.. This is normally fine locally, but not something you would ever want to do on your public facing interfaces.

@ady2 said in How to consistently bypass vpn gateway for macys.com: @bmeeks macys.com has a lot of ip addresses as if you check each time you will see they are different (maybe not each time but each other time). And the DNS lookup is returning only one ip address for macys.com each time. Regarding vpn service usage, probably you are right, there is more marketing. Real benefits in real life is not so much or even not at all as they could sell our data same as our internet providers. I was hopping that there should be a way to be able to make an alias for a website and block or allow or redirect it how you like, (for example I found that there are some alias for amazon and netflix in pfBlockerNG for them) but I was not able to find by googling how to identify all the ip addresses for a website as they could change and you actually will beed to update that pool. Thanks @bmeeks , appreciate Some domains are popular enough to warrant folks maintaining all or most of their IP space in lists that pfBlocker can download. Think Google, Amazon, YouTube, Facebook, etc. However, many other retail sites are not so lucky. As I mentioned earlier, because of the all the difficulties with streaming services and such, I just am not a VPN fan. I use a VPN only for secure connection back into my LAN from the Internet. So I run the OpenVPN server on my firewall and have a client on my mobile devices. Remote access and extending a LAN to remote office locations (point-to-point VPN) are the only two reasons I consider good reasons to use a VPN. The privacy thing does not get me excited.

Glad to hear... Now is that much better than some hack disabling stateful firewall rules.

So your clock being off kept the rules from loading? I have never tested that - but not sure how that would come into play.. Doesn't matter if firewall throught it was today or 12 years ago or 12 years in the future.. Rules would be rules would be rules.

@Drusher said in WAN traffic passed on ports that are not open: @4294967295 same as https://forum.netgate.com/topic/147248/had-my-pfsense-been-compromised/31

you will never see traffic from OPT3TESTBED net in the WAN interface, that rule is wrong "NAT In bound Obitalk UDP" is probably wrong, you usually don't know the source port WAN net is not internet as rico pointed out

Glad you have it working now. -Rico

never mind. changing destination to "This Firewall" fixed it