@chris-1028 said in Port Aliases: a domestic network or a MegaCorp network are both exposed to essentially the same risks. No not even close sorry!!! And are managed completely different.. Out of the gate.. And comes down to as well who controls the devices that connect to a corp network. For starters in a corp - none of those ports you list would even be allowed out in the first place. And more than likely all or 99.9 of all access other than 1 one offs with tons of paper work to allow would be forced out a proxy anyway. I would be more than happy to debate corp or domestic with you - but if you think it makes sense to spend time on such nonsense in a home setup.. Have fun! Your wasting your time! Your time should be directed at what exe the devices can execute before you worry about what ports they can talk outbound on.. And where they can get such exe in the first place. Isolation of iot sure - agree, trying to limit it what it can do.. kind of pointless.. Pretty much anything it does is going to be over 80/443 that is a given anyway. Where it does that is the going to be more of concern as to what port it needs. Name some IOT devices that needs anything other than say icmp or 80/443? I have plenty of iot devices in my home - none of them talk on anything other than those ports. Well then need dns - but that is only required local. I isolate all my iot devices, and log everything they do outbound - they never try and talk outbound on anything other than icmp/80/443..

@Derelict Thank you for taking the time to explain the difference to me. It was really helpful and I finally understand the difference! I really appreciate it!

Hi bmeeks Thank you for the response. Indeed pfSense is doing it's job great. I'm clear about the scenario now.

@tross9 That is correct. Keep these rules on the top of your Wan rules.

Thanks for the info. I look at this and see if I can get Teamspeak3 to work, not sure how to test it, I use to be able to do this: connect to 192.188.1.20 (lan ip) to see if it was up then connect to 200.200.5.23 ( public ip,, of course this fake and is just for the ex) this would allow me to see if TS3 was accessible from the internet. as I've been read, it does not look like that will work any more.

Working now. Helps if you don't set the DMZ IP to be /32 instead of /24

Port forwarding 101, man. https://www.netgate.com/docs/pfsense/nat/forwarding-ports-with-pfsense.html

rules.debug is the best place to get the configured rule set all in one place. It is usually one of the first places I go when evaluating a status output, depending on what the trouble is. I never look at the rules in the config.xml. rules.debug lays them all out for you in a readable format.

@johnpoz I said "sparsely ", not "un-" I found your first url, I did (+/-) as it said, it worked perfectly: so yes "documented" ...but you have to look hard to find that page. Your second url: old folk like me don't take our "documentation" from youtube: printable words are good, they allow calm reflection and filing in our internal documentation. 802.1Q mode for 3100 mvneta1 is excellent! Wish I had found the "documentation" months ago. Chris

Hi, The principals of a firewall are always the same, using pfSense, or some other system, OS, etc. In the past, and I'm not talking centuries here, the very basic concept of a firewall would take a year or so for a student to learn. And this wasn't on high school or something like that. These days, we are obliterated by the cheer number of books, Internet discussions, and videos about the subject. I advise you to start with reading general wiki pages - and have a look at this : https://www.youtube.com/channel/UC3Cq2kjCWM8odzoIzftS04A/videos - there is a video called Firewall and NAT Fundamentals on pfSense that should see. When you test for yourself, always start as simple as possible. Always check your works. You can see pfSense as a car. The car builder won't learn you how to drive ^^ Btw : Your first paragraph : you are correct.

iv solved the installation error.. just logout, Login again, delete package and reinstall.. i see also now with this version of snort the custom Ip also loaded without problems!.. Green Icon.. Thanks iv seen alot of Ip addresses trying to access the server behind pfsense.... wonder if there is a packet fail2ban option? Thanks...

Technically, these are NOT called rule names, but descriptions instead. The description of my firewall rules (on LAN is where I'm logging) are in my firewall logs. If you've got no rules created, you'll have to make some that actually log the data. After that, if you look in Status -> System Logs -> Firewall in the Rule column it lists the rule description(s). There's also the 10 digit unique (I think) tracking ID code to make them quick to find or index. The only restriction listed for rule descriptions is max of 52 characters. Don't know anything about special characters, however. Here's some talk about some description stuff. https://forum.netgate.com/topic/92254/firewall-rule-description-length-limitation Jeff

Glad you have it working now. -Rico

I've not got the VPN to pull routes; [image: 1555257747889-dontpullroutes.jpg] I'm able to ping pfsense from guestvlan, (As my NAS drive 192.168.1.16 which on my LAN side. This is right at the minute as I've not put a block rule in yet, but ill do that once the guest and vlan get internet) [image: 1555257759103-tests.jpg] Thanks for all your help so far

@vallum This is fixed , followed below steps. for package upgrade from shell https://docs.netgate.com/pfsense/en/latest/install/upgrade-troubleshooting.html#cli-troubleshooting

@bormar81 Hey As an option to use the tunnel to connect PF and UBUNTU (for example,GRE over IPSEC,OPENVPN,VTI) And using PBR to redirect all traffic of ports 80,443 to this tunnel