Check everything on that list. It is something there.

@JeGr Is the syslog entry for the block rule sufficient? I don't thing the GUI allows me to easily search for the relevant log entry? <134>Oct 14 20:14:57 filterlog: 10,,,1000000104,ovpns2,match,block,out,4,0x0,,82,22380,0,DF,6,tcp,100,157.240.3.55,172.16.0.2,443,49150,48,A,2482124958:2482125006,2272804108,113,,nop;nop;TS 172.16.0.2 is the IP of the vpn client. I cannot find a rule with tracker 1000000104, however on the ovpns2 interface I do have a block all rule that appears to be ignored. [image: 1571097432540-1952adca-db1e-46a1-9559-b98bb19d6394-image.png] OpenVPN_net is 172.16.0.0/29. The tracker ID of the block all rule is 1570507813. No log entry on the ovpns2 interfaces matches that ID. However, I do see matches for rule 1570507813 however they are for the ovpnc1 interface (NordVPN). <134>Oct 14 18:44:34 filterlog: 57,,,1570507813,ovpnc1,match,block,in,4,0x0,,54,37736,0,DF,17,udp,311,78.130.254.59,10.8.8.42,51413,44994,291 The NordVPN interface only has a block all rule, no other rules. I do not see any entries for that block rule.

From your office to AWS hits your LAN rules and uses route-to which policy routes the traffic as expected. From AWS to your office hits the IPsec rules and has two real issues -- #1, there is no reply-to on IPsec tab rules, they have to be on per-interface tabs and #2 per-interface IPsec VTI rules do not work, so we don't have those tabs available. (Thus, even if present, reply-to wouldn't be possible). So it falls back to routing based on what is in the table for return traffic, and since you have no routes back to AWS, it leaves via the default gateway.

@johnpoz there is a lots of stuff behind the main box one of them is freenas all I need to do is this windows server 2016 to have access to and freenas smb shred storage without going trough the VPN server to office site 1 and back ANY IDEA

How about multiple public ips?

@johnpoz Thanks, that's exactly what I was looking for!

Why would you have done that? The default of create rule is there for a reason ;)

Hey, that worked really well =) thank you very much! i had spent hours to try different things before this :P

It would look something like this:- You'd also need IPv6 rules if you run dual stack. [image: 1570611207850-screenshot-2019-10-09-at-09.50.23.png] [image: 1570611216847-screenshot-2019-10-09-at-09.52.30.png]

@johnpoz Thanks for reply. After you replyed, I investigated and I understand now that this warning has nothing to do with pfsense. The file is a saved web page: https://www.ceos3c.com/pfsense/pfsense-generate-ssl-certificate-https-pfsense/ The scanner is on my ReadyNAS v 6.10.1, i dont know who is the "produser".

Euh ..... sorry, not very clear. can you post some clear info like : [image: 1570541859053-0ee49b82-fc99-4138-8134-ac01eb5da148-image.png]

Where exactly are you seeing that - like some of the first rules in the firewall block drop quick inet proto tcp from any port = 0 to any label "Block traffic from port 0" block drop quick inet proto udp from any port = 0 to any label "Block traffic from port 0" block drop quick inet proto tcp from any to any port = 0 label "Block traffic to port 0" block drop quick inet proto udp from any to any port = 0 label "Block traffic to port 0" block drop quick inet6 proto tcp from any port = 0 to any label "Block traffic from port 0" block drop quick inet6 proto udp from any port = 0 to any label "Block traffic from port 0" block drop quick inet6 proto tcp from any to any port = 0 label "Block traffic to port 0" block drop quick inet6 proto udp from any to any port = 0 label "Block traffic to port 0" They are just not shown in the gui..

@kiokoman Thanks for your reply. Yes, of course I know that the rule oder matters. But I was able to solve it myself now. I installed Packet Capture for Android on the phone, started the game and figured out that two port are required. After these port have been allowed on pfSense the game started as expected. :-)

there is little reason to run guest network mode on unifi unless you were going to be running captive portal. It a performance hit btw.. Enabling guest services.