Ok, in the end I nuked everything from orbit and reconfigured from scratch. It is working fine. Thanks for all the help.

@NollipfSense said in Firewall Feedback: why throw away a good working kick-ass Mikrotik RB450G. Not saying you have to throw it away, but as a bump in your network is pointless, and just using electricity for no reason at all.. Be it 3w and only cost a $1 a month... Still just pointless..

So when you say downstream, I think of a L3 switch doing routing... This is just an L2 switch on your network with a IP on the SVI for whatever vlan your trying to talk to it on. Did you setup a gateway on this SVI/Switch? Do you have routing on the L2 switch to allow what your doing? If your coming from different networks. If this is the same switch and you have 2 svi on it 192.168.1.2 and 192.168.2.2? If you source is on the 192.168.2 then sure it can answer.. But if you ping its 2.2 address from 1.1, how would it answer.. If it also has an SVI on the lan network it would try to answer there - but that is asymmetrical, and yeah going to be problematic Your switch should only have single SVI, in the network you want to manage it on unless its going to be doing L3 routing.. If that is your opt network, then ok its gateway should be 192.168.2.1 your opt interface on pfsense. And if you ping it from another network, it will know how to answer you via sending the answer back to pfsense. I don't think you called out what specific cisco you have.. But here for example here is the default route.. So I can talk to this switch from any network where my firewall rules allow it, and it can answer back. [image: 1565105907025-routes.png] It only has the 1 IP, I have no other SVIs setup on it because its not doing L3 currently.. Only L2..

@johnpoz said in Can't work out why this firewall rule isn't working: Not sure what your doing, but you can create cidr alias just fine.. Are you wanting it to expand them? I worked out what I was doing wrong! Because I haven't had to refer to the tables before (including from CLI) because I've never had an issue with 2.3x I was checking for them before applying them to a firewall rule which turns out is the point that they're created, not from after saving and hitting apply in the UI as I had expected. So no issues with CIDR but unfortunately I am stuck with bug 9296 :(

OK What to do to get these replies Ind. I cannot see where my mistake is - so that's the reason why ? If I don't get any reply - is this a configuration error of the Zone Rules og DNS ? Is this a rule I need to add to WAN interface - that it should allow ICMP response ? Notrmally my understanding is that it will allow response trafic My Outbiund NAT looks like this : https://ibb.co/p3Cpp7B From my ISP I have a /29 subnet woith public IP's - so hopefully I set this up correctly

There was an auto rule created by NAT that redirected 443. That rule was below the pfSense Management Access rule, and I forgot that NAT rules are evaluated first. I changed the pfsense port and it worked. Thank you!

@h1pp13p373 said in [ SOLVED ] Email Reports stopped working: i t's sending to an open mail server (port 25) That's a quick-and-dirty mail server ^^ port 25 is reserved for incoming mails from other mail servers - never-ever mail clients. That's and old trick that should be abolished. Use port 587 or even better : 465 which means : authenticity before sending mail. Furthermore, SSL/TLS should work just fine if good certs are set up into postfix. These certs should be trusted - not self generated or something like that. That's not an issue these days as Letenscrypt certs are not only good for web servers, but also mail servers (incoming smtp) and imap/pop etc. Typically, this test https://www.checktls.com/ should be all green.

@Brokk Nest and Blink devices initiate connections. Like any internet request from a browser or other client device should not nee anything else.. There should be nothing that pfsense is blocking. Try putting an allow all from to port 443 to LAN Network on your WAN firewall rules for a minute or three. If it does not work just disable it. Actually if it works Id still question it.

Thanks for all the advice, much appreciated.

Thank you so much, johnpoz!!! after adding that rule I am able to ping 10.1.1.10 (wan address) ... routing still not happening ... what do i need to do to allow pc in 10.1.1.x to ping pc in 10.2.2.x?

If any one is reading this the fix was as KOM suggested in the first place doing the Diagnostics - States - Reset States. I did but not all the time and irregularly. If a firewall change does not at first appear to work do this first every time all the time. Then go on to something else to try to fix the problem.

Thank you kiokoman! It worked.

Of course not. The order of the rules is important. First match wins (except for floating rules, but that is another topic.) Your first rule allows all traffic to anywhere, so no other rules will be processed. Notice how your block rules all have 0 B of traffic to hit them. You need to move that allow rule from the top to the very bottom. Also, your block rules #2 and 4 are not valid since the traffic is coming from BLAU network. Just delete them.

Start focussing on answering our question. Doing so will help us helping you. Otherwise this thread becomes pretty useless.

Just a followup 2.4.x continues to have this problem 2.3 was working, but of course there are issues with using an old build, including the lack of packages. I have installed a clean install of the latest 2.5 build, and it is works as well or better than the 2.3 that I have been running. 2.5 is based on FreeBSD 12.

@ccigas said in Basic Firewall Set Up: I guess from there, I would not have to allow DNS or HTTP/S through the firewall from there or is that not needed? Typically, on an second LAN interface - called OPTx - you would block http and https acces to the Firewall (= pfSense) itself. Don't block DNS, devices could use pfSense as a DNS, or whatever other DNS they want to use on the net. @ccigas said in Basic Firewall Set Up: For the DNS, it seemed to only work pfSense doesn't use or care about DNS in receives from upstream routers. The resolver - unbound - uses the 13 main root DNS servers (the real back bone of the Internet) to find domain info. That will always works. There is no need - isn't used by default : Ustream DNS servers, ISP DNS servers, Private info collection servers (Google and others); etc. If the default resolver doesn't work, something is wrong with your Internet access. Btw : 'named' or bind, isn't used by pfSense. bind is much bigger and capable, and offers functionalities that hugely surpasses the needs of a firewall.

Hi @Derelict ... By playing with settings I have found that if I change the connection settings from IKEv2 to OpenVPN TCP the connection is established correctly. I'm none the wiser as to why this works and why the other didn't, so you or anyone knows, please educate me, I'd love to understand more. :-) Logs stated below. I googled the 809 error, but didn't get much that I could understand/use. The error seems generic to my eyes. 08:28:12 [Information] (VpnSDK::RAS) Connecting to "zrh-c05", Protocol=IKEv2 08:28:12 [Information] (VpnSDK::RAS::EventLog) The current user has started dialing a VPN connection using a per-user connection profile named IPVanish. The connection settings are: Dial-in User = MYEMAILADDRESSWASHERE VpnStrategy = IKEv2 DataEncryption = Require PrerequisiteEntry = AutoLogon = No UseRasCredentials = Yes Authentication Type = EAP <Microsoft: Secured password (EAP-MSCHAP v2)> Ipv4DefaultGateway = Yes Ipv6DefaultGateway = Yes IpDnsFlags = IpNBTEnabled = Yes UseFlags = Private Connection ConnectOnWinlogon = No Mobility enabled for IKEv2 = Yes. 08:28:12 [Information] (VpnSDK::RAS::EventLog) The current user is trying to establish a link to the Remote Access Server for the connection named IPVanish using the following device: Server address/Phone Number = 45.82.223.11 Device = WAN Miniport (IKEv2) Port = VPN2-1 MediaType = VPN. 08:28:12 [Information] (VpnSDK::RAS::EventLog) The current user has successfully established a link to the Remote Access Server using the following device: Server address/Phone Number = 45.82.223.11 Device = WAN Miniport (IKEv2) Port = VPN2-1 MediaType = VPN. 08:28:12 [Information] (VpnSDK::RAS::EventLog) The link to the Remote Access Server has been established by the current user . 08:28:18 [Error] (VpnSDK::RAS::EventLog) The current user dialed a connection named IPVanish which has failed. The error code returned on failure is 809. 08:28:18 [Fatal] (VpnSDK::Internal::RAS) The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem.. Code=809 DotRas.RasDialException: The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem. at async Task Zorg.VPN.RAS.RasConnection.Connect(CancellationToken cancellationToken) 08:28:18 [Error] (VpnSDK::RAS) RAS connection failed. Error: 809 Extended: 0 08:28:18 [Error] (VpnSDK) An exception occurred during connection process. VpnSDK.VpnException: Unable to connect to the VPN server. (809) ---> DotRas.RasDialException: The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem. at async Task Zorg.VPN.RAS.RasConnection.Connect(CancellationToken cancellationToken) at async Task VpnSDK.Internal.Managers.RasManager.Connect(Server server, IRasConnectionConfiguration connectionConfiguration, IUser user, CancellationToken token) --- End of inner exception stack trace --- at async Task VpnSDK.Internal.Managers.RasManager.Connect(Server server, IRasConnectionConfiguration connectionConfiguration, IUser user, CancellationToken token) at async Task VpnSDK.SDKCore.Connect(Server serverToConnect, IConnectionConfiguration connectionConfiguration, CancellationToken cancellationToken) 08:28:18 [Verbose] (VpnSDK) VpnConnectionStatus=Disconnected 08:28:19 [Information] () Will attempt to reconnect. Attempts made: 0, Max attempts 10 08:28:21 [Information] () Reconnecting... 08:28:21 [Verbose] (VpnSDK) VpnConnectionStatus=Connecting 08:28:21 [Information] (VpnSDK::RAS) Connecting to "zrh-c05", Protocol=IKEv2 08:28:21 [Information] (VpnSDK::RAS::EventLog) The current user has started dialing a VPN connection using a per-user connection profile named IPVanish. The connection settings are: Dial-in User = myemailaddress VpnStrategy = IKEv2 DataEncryption = Require PrerequisiteEntry = AutoLogon = No UseRasCredentials = Yes Authentication Type = EAP <Microsoft: Secured password (EAP-MSCHAP v2)> Ipv4DefaultGateway = Yes Ipv6DefaultGateway = Yes IpDnsFlags = IpNBTEnabled = Yes UseFlags = Private Connection ConnectOnWinlogon = No Mobility enabled for IKEv2 = Yes. 08:28:21 [Information] (VpnSDK::RAS::EventLog) The current user is trying to establish a link to the Remote Access Server for the connection named IPVanish using the following device: Server address/Phone Number = 45.82.223.11 Device = WAN Miniport (IKEv2) Port = VPN2-1 MediaType = VPN. 08:28:21 [Information] (VpnSDK::RAS::EventLog) The current user has successfully established a link to the Remote Access Server using the following device: Server address/Phone Number = 45.82.223.11 Device = WAN Miniport (IKEv2) Port = VPN2-1 MediaType = VPN. 08:28:21 [Information] (VpnSDK::RAS::EventLog) The link to the Remote Access Server has been established by the current user .