thanks! so, instead of a file name an rely on the OS to read the file, use a url that points to the abusive hosts text file. well, I suppose a piece of network equipment would want to use the network to access stuff. :) that'll work. I can deal... got any suggestions for the 2nd part? how to express exceptions to blocks of host ip addresses?

Do you do NAT ? If yes you can answer by yourself :) But if you do not do NAT and give public IP to your clients they will be seen only if they go trough ISP who gave them to you... If you have AS and BGP to your 4-5 ISP's and you announce these IP's then the can be routed trough all of your ISP...

Let pfSense do the adblocking or get a pihole running. Turn your OpenWRT into an AP by disabling WAN and DHCP server and then plug the LAN port into a switch.

If by any reason you are running kaspersky or malwarebytes [link-removed] can sometimes cause conflicts in firewall rules.

Have you rebooted since you set the time zone? The time zone for some processes only gets set at boot time. You shouldn't have to change to another zone to correct that.

We already went through this and established that everything was working an hour ago. You're just going around in circles now.

It is not the firewall. It must be the elastix server. Its default gateway must be 192.168.11.1. Connections from LAN hosts to DMZ hosts are governed by rules on the LAN interface. You could make those connections with no rules at all on DMZ.

@situate said in Ping in diagnostics pass through firewall rules: Are you try to telling me that in pfsense i can not test the rule as like a router cisco? On cisco we can specify the source lan and if exists a block rule the ping is blocked. That is correct. Traffic initiated from the firewall cannot enter an interface on the firewall, only exit. That kind of test can only be performed from an external system.

One way to use only one NIC for multiple internet connections is to use vlans but you have to use a manage switch and configure pfsense's wan interface as vlan trunk port then add internet connections as vlan interface over it. Michael.

@LB-Munich Hi all, for heavens sake ... i found it finally. As soon as the MAC is listed in the MAC-Address-Whitelist everything works ... i´m such a moron .... Kind regards,

Hi Thanks for your quick response @Derelict said in Configure filewall rules to allow traffic initiated from Lan to OPT1 but not visaversa: On OPT1IOT you want to: Pass source OPT1IOT net dest any pfSense-served connections they need like DNS Do you mean this: [image: 1554612273298-pass-source-opt1iot-net-dest-any-pfsense-served-connections-they-need-like-dns.jpg] Reject source OPT1IOT net dest LAN net Reject source OPT1IOT net dest LAN net Do you mean this: [image: 1554612291249-reject-source-opt1iot-net-dest-lan-net.jpg] Reject source OPT1IOT net dest This firewall (self) Do you mean this: [image: 1554612550088-reject-source-opt1iot-net-dest-lan-net.jpg] Pass source OPT1IOT net dest any Do you mean this: [image: 1554612643112-pass-source-opt1iot-net-dest-any.jpg] Thanks

I discovered that this anomaly derives from the fact that the IP that worked (block) was inserted in squid proxy server - Bypass Proxy for These Source IPs! if I put the other ip also it works. but this operation is correct !?

For anyone else that follows, the issue/solution was actually nothing to do with firewall rules, instead you need to specify the local networks that are accessible in the OpenVPN server configuration! [image: 1554539200632-a18c1840-79cc-4c09-8f91-8fe653a756c1-image.png]

Steve, Thanks for confirming that this is expected behaviour. The background to my query was that I was configuring various rules/aliases and hit a problem whereby the firewall was still blocking traffic, notwithstanding what I considered to be the relevant rule had been deleted. As part of my troubleshooting I had already reset the state with apparent no effect, although strangely a reboot did clear the issue. I then spotted the log error and in rushing to put 2+2 together came up with 5 Cheers

@KOM said in Filter Reload: Small typo. I put 2,000,000 when I meant 200,000. With pfBlockerNG a setting of 2,000,000 is OK. Do not set it as low as 200,000 this will cause problems even without pfBlockerNG, see here: https://redmine.pfsense.org/issues/8417 this is why the default has already been increased to 400,000.

Thank you Mr Grimson for taking the trouble to respond to my query. I think the appropriate expression (well I did say I was "thick" in my original post) is I could not "see the wood for the trees" ... I have to confess that I am a relatively recent convert to Linux and still rather unfamiliar with the concept of differing software sources offering the same functionality. I have located and installed an alternative package - tcptraceroute which (as the name implies) uses TCP and resolves my issue. Once again my thanks

@viragomann brilliant!! Thanks! It works!

It might be an edge case we can't really detect well since it may be valid in some other way, even if it isn't an IP address (e.g. a hostname, other alias name, etc)

Yep, Windows firewall was the problem. Apparently even allowing ping on public network connections wasn't enough. So now on each interface I have an allow any rule at the bottom and block/reject rules above that to restrict traffic across VLANs (except where we want it)