Thanks johnpoz is working now

Right On johnpoz!!! Android just got a response from the server! Thank you very much!! You know, it seems like it should be easy, but it's kind of like driving through a new city on a complicated freeway. It's pretty easy to get overwhelmed. Thanks again !!

I resolve the problem. The IP we use in WAN was not allowed on the server side we're trying to login, So we can only reach login screen but can't login. Lmao

That is not the capture.. Download the file and post up the pcap file. [image: 1552122809433-downloadpcap-resized.png] But 10.90.90.90 is your SWITCH IP, or is that the camera IP?

There are some screenshot instructions in that post I linked to. In a nutshell, on your LAN DHCP interface, you set the DNS server to the pihole address on the "other" network. Then, on your LAN interface, you make a port forward to get DNS traffic moving to the pihole. Allow that port forward to auto-create the companion firewall rule. Then point the pihole back to pfsense. And then, finally, set the DNS resolver to "enabled" in pfsense. That means the pfsense box will ultimately run the DNS resolving and caching for your LAN network, after it has been sanitized by the pihole system. Jeff

@tomhbp said in OpenDNS over OpenVPN: The internet connection goes down. What is the exact definition here ? Connection totally down or just DNS traffic ? Anyway, it's time to unhide your setup and rules.

@bmeeks said in Filtering URLs: @19giugno said in Filtering URLs: @kom said in Filtering URLs: You can either tailor your port forwards to only allow specified IP addresses as Source, or you could do it via web server directives in the site's config file, or via .htaccess. But can;t I create an alias for List 1 and an alias for website 1 and a rule to match them? Only if website 1 has a different IP address from website 2. Firewalls work off of the IP addresses and port numbers in an IP header. They don't understand URL text. What would you put in the alias you create to differentiate between the two websites? The web server software itself (Apache, nginx, etc.) is what would read the incoming HTTP headers text and then route the request to the proper website. That's what @KOM was referring to: setting up filtering on the web server itself because that's the point in the chain where the acutal URL is decoded. Thanks!

Yes I disabled hardware checksum offloading, Sorry I was sure I have said that it was a proxmox VM, but it is not the case. Yes I followed this tutorial to install PfSense

Ok for the image but it doesn't help us much to answer. What interface ? Restrict access to the GUI, and if so, http ? https ? both ? - or no access at all (no ICMP, no DNS, no TCP, no UDP, nothing) ? From LAN ? From WAN ?

@akuma1x @KOM Thanks guys for your help.

@jimp said in Pfsense in Stateless mode: So fix the other device so it doesn't do that :) Yea, don't I wish. Step 1 would be to define the problem, which I haven't been able to do yet. Or don't go stateless, but setup sloppy state rules: Unfortunately, sloppy state rules don't work either. My current goal is to get this working in stateless mode, and then slowly add firewall rules to protect things. I tried it the other way around (firewall rules first), but couldn't get pfSense to work long enough to get any work done. So the question remains, after I've tried 'allow all' rules that have the state set to either keep, sloppy, or none, and that doesn't work, and I can't throw out the oddball product, what do I try next to allow traffic thru.

Well said bmeeks.. A edge firewall is much different than a host firewall.. But with the right know how it is possible to do some application based filtering with the openappid and snort. https://www.netgate.com/blog/application-detection-on-pfsense-software.html But yeah that is going to be a steep learning curve for sure, for someone that had to ask the question in the first place. If your goal is to prevent applications from doing xyz - that is the place of a host firewall. But normally if your to a point where you want to filter chrome or skype from being used in windows environment you would just prevent those applications from even being installed by users.. If you can give us more info on your overall network - running AD? Are your window machine user managed - ie sort of BOYD setup? Or are they managed by You/IT dept? What exact sort of scenarios are you wanting prevent? Are you wanting to allow for example skype to be used to video call other users in your org/location/family - but not allow free access to anyone? etc.. This is where the suggestion of hiring the correct staff or company to manage your expectation of security is key.. Actually useful valid security always comes at a price.. Be it in the learning curve if your going to do the work yourself - or in the cost of the appropriate hardware and or licensing of specific software to do what you want to do with your current skillset. While you can for sure do some amazing things with pfsense be with something like OpenAppID or IPS in general or Proxy for filtering categories, etc. etc.. If you do not have the skillset or the staff that can leverage opensource or free/lower cost tools. Then you have to pay for the higher end stuff like like commercial based proxy or NGFW with application mangement like a PaloAlto or etc.. All have license cost that can be prohibitive for the smaller shops - and while they do make doing X much simpler since they do all the background work for you (reason for the license costs) you still need the appropriately skilled staff to manage them, etc. Implementation of valid security controls is also going to cost a price with your user community... Be it they could do X before and now it doesn't work, but to do their job (atleast in their minds) they need to do X, etc. etc So there will be learning curve and training required for the user community along with normally higher support hours/cost to manage the expectations and issues that the heightened security will create - atleast in the beginning.

Dude you can not have your wan and lan in the same network - so yeah no shit nothing is going to work!

@rico Thanks will take a look

Thanks @gertjan! I don't actually have the specific IP addresses my network is allegedly making connections to, but these instructions are excellent and showed me how to do what I wanted which is to log all outgoing connections from my network. Thanks very much indeed for taking the time!

Thanks KOM for your help and your patience.