So what is your question? BTW posts about squid and squidguard belong in the Cache/Proxy forum.

@ribula thanks!

After a lot of monitoring, I've concluded the physical interface (ix0) cannot filter an IGMP packet from the ISP side of the WAN when the interface is connected via PPPOE. It also will not pass it by default. Since you cannot filter it to apply a rule, it always gets blocked. As soon as the PPPOE connection goes down, a rule on the interface works and the IGMP packet can be passed. No more IGMP packets for a day or so. Can anyone help me build a script in chron that will simple disconnect and reconnect the interface on a schedule?

@RigidConduit said in Odd issue accessing local webserver: Realistically, its the first time I am actually using the bridging feature on pfsense. For zero value add... You have not actually stated a reason on why your trying to do it.. Use your switch ports for switch ports.. Use your router interfaces for that.. Not switch ports. I can see no value add to what your attempting to do with bridges vs adding complexity.

Think you forget the 0 on your 3 there Derelict... Your 4 days in already.. ;) This is clearly simple facebook sort of post -- suggest you get your help over there since you don't seem to want to take Derelicts ;) Sure they help you out in couple of mins..

@19Giugno said in Outbounding traffic from LAN: adding the pfsense as DNS to the machines make the job! Not adding - ONLY!! You can not point multiple dns that do not resolve the same stuff or your going to have a bad day.

@Gertjan Thank you very much sir. I got it now

Yeah if you bridge you can control traffic that flows through the bridge. So yeah if you have input on one switch port that is bridge to the rest of your switch ports - then sure you could filter at the bridge point.

Sorry but being new to pfsense, you should not be installing IPS and Proxy and pfblocker out of the gate! As stated by bmeeks already.. Remove them and ramp up to using those advanced features. IPS for sure is not something you click and run with it. And to be honest pfblocker has become almost too powerful for the less experienced user..

Squidguard relies on squid. If you configure squid properly, you can filter HTTPS URLs without needing pfB.

You can edit the thread title and add solved to it if you so desire.. The time it took you to ask me to do it, you could of done it yourself faster ;)

Think I found the cause, there was a floating rule with source this firewall which had a port alias configured with port 443 at the near top of the rule list.

@akvadrat said in Automate easyrule from remote host: min and not root. Is it not possible to set NOPASSWD when "running as" ad sorry for reply this old post, but i'm lookin for some like this... @akvadrat cant you share your workaround in fail2ban to write or execute the eary rule action... to add and remove the hosts ip address... ad the moddifield maked to pfsense box on sudoers etc .. thanks

Thanks for the pointer to the settings tab. Dunno how I missed something so obvious!

@bwanajag said in Problems pinging between IPs on a VLAN subnet: I understand clients on the same subnet do not need to route, but I don't understand why that means devices on a given subnet won't respond to pings from another device on the same subnet. pfSense is issuing IP addresses to devices connected to the VLAN (DHCP is working), but I cannot ping those devices from the ping tool within pfSense. Is this normal? One all devices have received their DHCP addresses, you could disconnect pfSense from the network entirely and it should not make a bit of difference between devices on the same subnet. Your problem is with those devices, not pfSense.

That is multicast noise most likely from your router it self, ie that 192.168.1.1, which seems odd that is being block by the ULA rule fc00::/7 ? If you do not want the noise, and your behind a nat.. Then either turn off logging of those rules.. Or create rules that specifically block the noise but don't log it.

@elvisripley Thank you for that invaluable insight. I was able to make a few tweaks based on your guidance (caused lightbulbs to go off in my head!) and I am now able to see the queries!

@jimp So the main issue is that I'm getting errors in the GUI There were error(s) loading the rules: /tmp/rules.debug:116: syntax error - The line in question reads [116]: nat on lagg0.22 proto tcp from 192.168.100.0/24 to 1.1.1.1 port -> (lagg0.22) @ 2019-03-13 14:14:38 I assume that this is because the actual port value is missing so whatever is adding the rule is adding it wrongly. The same rule exists further up with the port specified. Assuming all the other rules aren't actually creating any problems despite the fact there is no reflection enabled then there's at least that one.

Yeah that's just VLANs. They are logically separate from each other and behave as separate interfaces. If you want to pass traffic from VLAN 1 to VLAN 2 you need to pass it. You can do what you want with floating rules. I just think interface group rules can be more straightforward.

Ok. HA is back and online... but the initial issue still exists :-( Nothing arrives at .102 [image: 1552309915892-f07ab6d7-d8ce-4f9e-912b-1b502c959599-grafik-resized.png]