Of course ! I'm so used to the fact that "private" IPs need to be translated before going to the outside world that I forgot about basic routing. Thanks for the reminder.

@akuma1x hi, no. only local LAN. Actually i returned the cameras. They don't work on LAN-only mode. Even for that they need to send a heartbeat and ack from their cloud server which is stupid and an unnecessary security exposure, so you can't fully block them with the firewall as every 10 mins or so they need that heartbeat signal to keep working so they need to have "open" access to the internet.

@johnpoz said in What Happened to the Arrow?: You mean these? [image: 1562859514081-these.png] That is not "in" that is "quick" Yes John that is correct and that's what happens when one reconfigures from memory...thank you! [image: 1562862756222-screen-shot-2019-07-11-at-11.29.35-am.png]

Post your Rules (Screenshots). -Rico

@kiokoman thanks

We are using OPEN VPN that is configured by our cloud server that is established in different geo location. We only installed and used their given credentials to log in and connect to VPN that time we are not using Pfsense or you can say we are working in a unsecured network but after using pfsense we are not able to work on our cloud server, every time we hit the Dyanamic DNS it goes to server's ip address is not reachable. And if we try same thing through a AIRTEL WIF(modem/open /hotspot device) , it works fine. How can i resolve it. Do I have to configure the VPN or any setting that may be i can use in pfsense. help me.

You could add your A record to the DNS you're currently using. You don't need pfSense to be your DNS for split DNS to work. You just need your FQDN resolved to its LAN IP.

@William_von_Baserville said in Can't ping Windows 10 machine: Is there some Setting in pfsense I missed that could cause this issue? As always: Check the Windows firewall settings. By default they only allow pings from the local subnet. Also learn the basics about the operating systems you use.

PS: I'll report back once I have any more to say .... Thanks all for your help so far.

@scorpoin said in Block IPSEC(IKEV2 IKE) / L2TP / openvpn all traffic: Greetings, I would like to block IPsec , L2TP and Openvpn all traffic in my lan. Most of users are using vpn tunnel to bypass content filtering restriction on network. Regards @scorpoin: if you are managing the network for a business, then the best way in my view to handle this is to talk with management and see how serious they are about policing the traffic. If they really don't want the users doing that, then the best solution is a stern notice from Human Resources that the behavior is unacceptable and that violators will face consequences. Trying to handle something like this via technology only will not be successful in stamping it out. There are many ways users can circumvent the filtering technology. But if the users fear their employment may be at risk for circumvention of the filtering, then the incentive for them to search for hacks and workarounds to the ban is greatly reduced. Your job then as admin would be to continue to search for violations and then report the user to HR and them to handle the punishment.

@NogBadTheBad Hi, Sorry i should have mentioned, yeah my PC is on the 10.0.4.X network (just as a test PC) , the aim here was to loose connectivity to the GUI from my PC, then i have another one on the 10.0.7.X range that "should" get access to the GUI. After thinking about this last night I think I have sussed it out, we are going through a Proxy and this is the IP Address that accesses the Management GUI, hopefully I should be able to add some rules in our other proxy to avoid this Firewall bypassing it. Ill let you know if i have any more issues or if i need more help with this. Thanks for your help!

@JKnott Makes sense. Thanks

@louis2 said in How does pfSense handle multicast (and broadcast) traffic!!??: Routers (I assume you also refer to FW's) should not pass multicast you write. I didn't write that. Look at the different types of multicast. For example, there are things like router advertisements and neighbour solicitations that are link local scope only. There is absolutely no reason for those to be passed through a router. In fact, the hop limit field is used to ensure a router has not passed them. The hop limit on those is set to 255, which means that if a router passed a packet, then it had to have a limit of 0 before the router, but a router will discard any packet with a limit of 0. On the other hand, there may be some media, such as a "radio station" that people want to listen to. Those would likely be somewhere else and not on the local network, though they could be. In this instance, the multicasts are not transmitted, unless requested. If the server is on the local network, then it would start transmitting, when it receives the request. If beyond the local network, then the router will have to accept the request and forward it on to the source, which could be many hops away. Then when the multicast is received by the router, it then has to be passed on to the local network. Of course the scope can be used to limit how far the multicasts can travel. BTW, firewalls are a separate function, though often performed by routers. In multicasts, it is the router that has to accept and forward the requests and also pass the traffic. If a firewall is so configured, then the multicasts or requests can be blocked, even if otherwise might be passed by a router.

Just for the reference. Here is a snippet to get current traffic usage: require_once("functions.inc"); require_once("captiveportal.inc"); $sent = (pfSense_ipfw_table_lookup("test_auth_up", $_SERVER['REMOTE_ADDR']))[bytes]; $received = (pfSense_ipfw_table_lookup("test_auth_down", $_SERVER['REMOTE_ADDR']))[bytes]; $used = $sent + $received;

TCP:S is the initial connection. There can be no asymmetry there. That is either passed or not on the interface upon which that connection is received.

@swarm: My point was that when you use VLANs on a switch the network traffic is all within the same physical hardware and you are depending on the software/firmware in the switch to keep the different packets separated. That's the same case within a hypervisor. You are depending on the hypervisor software to keep the different networks separated. So the "security risk" in my view is basically the same. I was providing a sort of counter to your argument that it would be slightly safer if the guest VLAN traffic never touched the server at all. I'm not familiar with Proxmox, so I can't make a judgement about it. I have used ESXi extensively, though.