@mandy47 said in RDP not allowed through pfsense: @bmeeks is there a link or tutorial you can recommend that I can use to setup vpn client on the pfsense box. Thanks in advance. For your application, you actually want a VPN Server on your pfSense box. Your VPN client piece will be on the remote devices (smart phone, laptop, etc.) that you use to connect back to your LAN. You will install the OpenVPN Client Export package on pfSense in order to export suitable certificate packages for various platforms such as Windows, IOS, etc. If you are new to VPN technology, think of it as a very long network cable that reaches anywhere in the world. One end is plugged into your LAN, and the other end is wherever you need to remotely connect back to your LAN. With VPN, that connection is highly secure. Once the VPN connection is made, your remote device behaves like it is directly connected to your LAN, but you can control exactly what type of traffic flows over the VPN connection with firewall rules. So you can allow anything over the VPN connection to and from your LAN, or just specific things like RDP and probably DNS. It's your choice as the admin for what to allow over the VPN.

Yeah those rules are a MESS... In what scenario is pfsense running plex? You have a rule that says ok to hit your lan address on 32400.. Then you have a rule on your wan with lan address is source??? WTF? Clearly you do not understand how the rules are evaluated.. It would be impossible for your wan to see lan address source. You have a any rule on your wan for whitelist... This HORRIBLE!!! Have brought this up in another thread... pfblocker allowing this to happen is HORRIBLE!!! Security issue for sure.. Your resolving - and your worried about dns leak? You understand that every dns query will come directly from your wan IP right? That is how resolving works. What I would suggest is start freaking over!!! Validate that pfsense is working out of the box with the default setup, no pfblocker.. No nonsense rules with redirecting dns, etc.. Then if you want to stop clients from using other dns then do that.. Also 8.8.8.8. with the period on the end like that is now asking it to resolve that as name.. not as a ptr.. Host "8.8.8.8." could not be resolved. Would be what you should get.. Your also asking those 2 other dns.. In your other when you get host google.com could not be resolved... This would point to maybe dns manipulation, or dnssec failing, etc... Lets start from a clean slate and figure out why you can not resolve... From your log there when you asked for that arpa you got a NX... Which is correct I get NX for that as well. $ dig -x 185.216.34.228 ; <<>> DiG 9.14.1 <<>> -x 185.216.34.228 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57661 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;228.34.216.185.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 185.in-addr.arpa. 3600 IN SOA pri.authdns.ripe.net. dns.ripe.net. 1557734757 3600 600 864000 3600 ;; Query time: 548 msec ;; SERVER: 192.168.3.10#53(192.168.3.10) ;; WHEN: Mon May 13 03:59:55 Central Daylight Time 2019 ;; MSG SIZE rcvd: 116

This seems to be a very popular misconception -- that a firewall at the endpoint can stop or mitigate a DDoS attack. A little bit of Google research, if you are new to network protection and security, would go a long way toward understanding what a DDoS actually is, what the symptoms are and where it must be remediated. Hint -- it's not with a firewall at your end of the connection. It's at your ISP's end of the connection, and if you are an ISP, it's at the higher tier ISP or bandwidth provider's endpoint that you are connected to for your Internet connection. Your upstream provider has to stop putting the DDoS traffic into your connection pipe. Once all those DDoS packets are in your Internet pipe, as @Derelict said, your pipe is full and that's that -- nothing a firewall at your end can do then.

You don't need the ftp package for passive. Only Active, unless your are super restrictive on your outbound rules.

@KOM Thank you, So pfsense does not accept *.domain, I tried to find something on the net. Well, thank you again.

Show the Firewall Rules for the Interface this Client is connected to. -Rico

Once you get there - post details.. About ready to chill and watch some tv with the wife.. But here to help.. If pfsense is directly connected to a network, there is no need for any routing for it to talk to anything on a network its connected too.. But if dns related - if unbound is say not allowed to use interface X for outbound queries, that could be a problem and not related to a "firewall" rule.

Floating rules are powerful but they can also be confusing. I've seen many cases where somebody had an issue that turned out to be a floating rule that they forgot about or misinterpreted. From most cases I have seen, floating rules are more often used to match traffic for QoS purposes. Other uses usually involve advanced configurations. Unless you have many interfaces, it can be simpler to understand if you put your interface rules on the specific interfaces they apply to.

thanks again for your patience with me... just an update. yesterday after trying everything that had ben suggested i decided that maybe if i rebooted the firewall it would start working properly. unfortunately when i clicked on reboot it never came back up. i had to once again reinstall it. but on the bright side i entered the rule as i was told to and all is working again

@whatgives said in Legitimate UDP packets blocked: This is what I see in my Firewall log. X May 7 20:52:26 WAN xxx.xxx.213.14:5060 yyy.yyy.yyy.yyy:5060 UDP Did you reload your rules after creating that rule - did they actually reload. Do you have any rules in floating? Did you make a typo in the source address, you have it blocked out.. Screenshots are always better than ascii copy of the rules. That is a port forward you created but you didn't link the port forward to the firewall rule? Do you have multiiple "wan" interfaces where the traffic is coming in a different interface than where you created the rule... the 0/0 shows that there has not been any hits on the rule - for whatever reason? But without more details its not possible for use to help you ascertain the reason.

I now again recovered my old config from that date before I created this thread and everything works fine. I can't get it do not work anymore. And yes, I saved my config before I started to try anything last month.

@JKnott said in Tunneling the same IP Subnet ( Ethernate over IP ): @SCG If I understand the question, you could use OpenVPN in TAP mode. Can i setup openvpn on a single interface? we have following network structure: location 1: 172.16.0.0/21 192.168.100.0/24 172.16.250.0/24 ( phone network ) 192.168.200.0/28 ( custom ipsec ) location 2: 172.16.32.0/20 location 1 and 2 need to access everything from the other side, and the 172.16.250.0/24 needs to be routed to the phone system in location 2 with the same subnet, same with the custom ipsec network

https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-basics.html?highlight=firewall%20rule%20basics Check out the very first sentence. Pings from the pfSense itself do not enter an interface. The source address is the part of every IP packet. The source address may be set to the LAN address or what ever, but the ping comes from pfSense itself and doesn't enter an interface. That function is meant for diagnostic network problems, but not to test firewall rules.

@akuma1x not working for me, maybe beacause I am using pfsense

@ivarh said in Does firewall aliases support getting a ipv6 address from a FQDN?: But sometimes the Synology box changes the ipv6 address and this breaks the rule. Odd my Synology DS415+ consistently gets the same IPv6 address.

@Derelict thank you very much