I had a chance to test out access lists in Nginx and it worked perfectly, I added a deny line to the configuration for that particular domain/subdomain and it was blocked for the specified network. The next question I have though it the best way to set up the firewall rule in pfSense I created a rule to allow access to the NAS system I have that is located at 17.2.39.32 and that works but when I add a rule that uses an alias it only allows access when a subdomain is used that goes to that proxy server such as movies.local.domain. when I just use domain.local or the IP address (17.2.39.112) of the reverse proxy it still gets blocked by pfSense. Should I just make a subdomain of guestnetwork.local.domain and have it goto the reverse proxy that just redirects to the main site for that proxy so that I can get control access from within Nginx?

^ yup very true... Kind of hard for clients to resolve anything with those rules, unless your doing doh or dot for dns on the client, or serving up dot to your clients on unbound.

So your AP was either running a captive portal, or it wasn't actually in AP mode and was trying to route, etc. which was prob the same network on both sides, etc. Its wan and its lan.. So yeah not going anywhere.

cat /tmp/rules.debug

These are VMs/Containers. Any isolation would have to be done in the vswitch. Or perhaps in the proxmox firewall.

DNS is TCP/UDP port 53.

@rml_52 I have fixed my issue today, i have switch my storagenode docker from "bridge" network to use the "host" network. Then allowed the rules on Linux to let traffic through for the port.

@johnpoz The issue is not in the usage of the term, but in where it is being used. Let's look at the pfsense, for instance. We are talking about the LAN interface and setting the IP for the LAN interface. This is an interface and not a network, yet in this instance it is being used as both. This is what is causing some of the misunderstandings that people are having. If I am understanding what @viragomann is saying correctly, the LAN interface IP can not be an IP that is managed by a remote VLAN on my switch. Thus the LAN interface becomes the transit network for all traffic that needs to reach the WAN interface from the remote switch. Routing for each subnet that needs to reach the WAN needs to be set on the the pfsense. If I understand correctly, that routing needs to take the subnet (example 192.168.1.0/24) and point it to the LAN interface in order for the traffic to traverse the firewall and reach the internet. Is that what you have been trying to say?

Hi, I did manage to find a pretty secure system, for anybody willing to spend the $. On a trial with it right now, works perfectly for us so far... Adamnet.works

Yeah no help dude.. Why are you mention networks that are disabled? How does the esxi host network come into play 10.1.69? How is that connected to your core router.. Is there anything else on this 10.1.10/24 network Not sure why you think pfsense having an interface on some network this opt1 has anything to do with say your sql server? That is for sure asymmetrical and a hairpin.. So 10.10 wants to talk to say 8.8.8.8, he sends traffic to pfsense 10.1, who then sends it back out the same interface to 10.254.. Ok pointless as that is - when the core router gets an answer he will just send it directly to 10.1 - why would he send it back to pfsense on 10.1? which is asymmetrical

Where did you put that rule, what rules are above it? What rules are below it. Rules are evaluated top down, first rule to trigger wins, no other rules evaluated. As traffic enters the interface from that network. That rule says if destination is anything other than 192.168.10.2 to port 433 block. But it doesn't allow traffic to anything, if traffic doesn't match that rule it just moves to next rule. So say your dest was 192.168.10.100 port 80, it would look to rules below. Also ! rules can be tricky if you have any vips setup.. You should prob be explicit in your rule design. If you want to allow only traffic to 192.168.10.2 on port 443 then allow that, and below it put a block all rule. Really need to see your full set of rules to know what is happening.

I can confirm this behaviour on 2.4.4-RELEASE-p3. It was working with 2.4.4-RELEASE-p2 before. Some rules do not match anymore, which is not cool... BR Steffen

Thanks for the update. That would explain everything.

Thank you so much. I install try agan. Version 2.4.4-RELEASE (amd64) built on Thu Sep 20 09:03:12 EDT 2018 FreeBSD 11.2-RELEASE-p3. it good run. Note: Card LAN PCI Ex4 bce uses pppoe isp

You create a transit network as I showed in my drawing.. Now clients that want/need to go too this 10 network, can just be allowed via simple firewall rule. If you don't want everyone to be able to get there. Transit network can be just a vlan if you want, or if you have an another interface on pfsense can just connect the downstream router there..

Fixed the post - if you tab before your text it does that. Should be easier to read now ;) If your going to port forward, I would lock it down to your work IP.

@Gertjan said in Firewall Alias not updating table correctly: Without any local host overrides, I declared and alias "SYS_URL" with some URLs : [image: 1565269278816-34e50b9a-b3ac-4767-872b-fbbcc76333dd-image.png] One of them has only an IPv4 - the others have both IPv4 and an IPv6. After validating the table, I checked right away : [image: 1565269355357-26900ea7-4921-4e5b-8fb5-7b0d60751c3a-image.png] witch is all correct. You have it. Except my router is not behaving that way all the time. I have one alias that behaves exactly like yours, and another that I described in the initial post, and it isn't putting all the IP addresses into the table. Responding to some of the other comments: First, I don't use host overrides. From my original post: "For background, I am using DNS Resolver and there is a domain override in place for myDomain.com (TypeTransparent). It's working as expected." Second, I am not using public DNS for this. There is a public DNS server for the MyDomain.com zone. However my router does not forward DNS queries and the public DNS server has no entries for myHost.myDomain.com. Third, the mydomain.com override points to a Windows AD server. I bring this up because it may be precipitating the issue. nslookup against both servers return the same results for myHost.myDomain.com. However resolving my Aliases into tables is not storing the same results into the table. In fact at the time of this writing, the table is empty. Fourth, to be exact, I am testing the feasibility of creating private social networks using secure peer-to-peer communications. Residential service must be accommodated yet, for no good reason, most ISPs are issuing IPv6 network addressees that change. I can use dynamic DNS to communicate address changes to peers. However if I am to support this firewall I need a way to alter firewall rules when peer addresses change. In other words, I need to be able to let them in. Aliases seem like the only way to go. So, here is how I see it now, based on input received so far: 1: This is a bug that occurs when Aliases are being resolved because it's doing its own thing and processing something other than what nslookup would return. After all I am comparing the results of an nslookup to the contents of the table and they are different. 2: It's a bug and the alias resolution process is receiving the correct list of records but is choosing, correctly or incorrectly to filter some of them out. 3: I am misunderstanding the documentation (it wouldn't be the first time, but it's rare). The documentation is vague when it comes to use-cases in this regard. 4: The documentation is missing a constraint we need to know about. 5: I missed something in the documentation (this occasionally occurs) Right now I am inclined to go with number 1. I have been trying to determine if this is something that will will be addressed by bug #9296 , or if I need to open a new bug report. If it's not a bug then it'll become a feature request and I'll have to go another way. @Gertran did you auto-add your alias? The timestamp entries lead me to believe that. If you did, can you tell me what button you pushed to make that happen?

It works now. I changed the VIP to type "alias", used a port fwd rule with auto FW rule creation, and created an outbound rule. Thanks again!