i figured out that this is working for my purposes: [image: 1550683044398-20-02-_2019_18-16-44-resized.jpg] But do i always need a block rule for all other interfaces? Is there nothing similar to a implicit deny rule? (like i see at a fortigate)

If you can get a list of IPs their server are using you can bypass those as destinations for the proxy. But since they have presence across AWS it will be a very large list or maybe not possible at all. Steve

so what does the client log show? Is it trying to connect to your pfsense public IP? What does the openvpn log on pfsense show?

It is even more critical when you have rules with a gateway set. If you allow from a source of * and have a gateway set, it's possible to accidentally cause pf to forward broadcast traffic which could cause a network traffic loop.

I think I found the answers here: https://docs.netgate.com/pfsense/en/latest/book/firewall/methods-of-using-additional-public-ip-addresses.html https://docs.netgate.com/pfsense/en/latest/book/routing/routing-public-ip-addresses.html One more question. I want to use a few of these public IP's on devices on another pfSense interface. How can I do that?

Okay figured out part of the problem. Had to open some additional ports for the tracker URL's to work. Now I can route torrent traffic over the VPN if I set the source port, but I still can't manage to have traffic go out by filtering on the destination port.

@stephenw10 Hey Stephen thanks for your reply. We are indeed looking into Snort right now, although we have changed the way we are gonna test it. We will try use iperf with the -F (file input) flag set with a text document containing the phrase to be blocked. But anyway I'll head to IPS/IDS section with further questions. Benjamin

Hmm, about the only way I can see that working is if you add a virtual IP on the WAN and use that as the translation address for traffic from the LAN. Then you can add a pass rule for that above the block rule for everything from 'this firewall'. Steve

@johnpoz Thanks, that was the problem. Did a few quick tests with that setting enabled and now everything appears to be working as intended.

@dutchsamurai said in Unable to access single host on LAN from OpenVPN: I can access all hosts apart from a single one. So how does that have anything to do with pfsense then? Prob as something as simple as that host running a firewall.

Found it under advanced. Thought I had looked through advanced before. Guess I'm just getting old and tired.

Hi, I have it setup with static IP's for each camera, then each camera has been added into an Alias (Cameras). The only way I could get it working was with the !Lan part of my rule. I dont really understand why that works as it was trial and error to get it working. @akuma1x said in Firewall Rule to limit IP cameras from getting internet access: @richtj99 said in Firewall Rule to limit IP cameras from getting internet access: @akuma1x How do i give them no internet while being on the same subnet/single vlan? This is how I do it: All of these cameras need to have static IP Addresses setup in the DHCP server section for the subnet/network your cameras are on. Then make an Alias for all the cameras. This is found under the Firewall tab up at the top of the screen. Once the alias is made, you can create a single firewall rule, on the subnet/network your cameras are on, and deny it access to the internet. Make this rule the top-most rule in the list, right under the anti-lockout rule. Denying access to the internet is pretty simple, if in fact you want to deny access to ANY external internet service. On that last firewall rule, set your action to reject or block, set the protocol to ANY, your source to single host or alias using the ALIAS you created above, and the destination to ANY. This sets the rule up so no ALIAS traffic leaves the subnet/network, including traffic bound for the internet. Jeff

Turns out my logic was correct, I was just mistaken on the settings for the firewall rule. All traffic from outside to the VIP from all protocols and it is now working.

Ok. Here it is : several thousands of pfSense installations, and yours is blocking "Google". We all have the same code base. Only our settings are different. I propose that you detail your settings / packages, etc. What will work right away : reset to default settings. Activate WAN. Do nothing else. Do not add any packages. Your problem will be solved.

His method is cleaner easier to read, and better in the long run. Inverted rules can be useful, and I do use them, they are not for everyone ;)

ping or (icmp) is not tcp/udp ;)

Agree - seems like a GUI bug. To answer your question, yes in this case I want it limited to a single alias (it's for sync mirroring). I have tried changing back to every menu item and it's always disabled. In fact, all my NAT entries on this device are disabled when I try to change to single host/alias yet on a "matching" device in another location it's fine. If I create a new NAT entry it's also disabled. If nobody knows, I guess I can save a backup, change backup XML and then restore the backup.

I have three interfaces, LAN, WAN and the VPN. All three have these options unchecked. I would like the 192.168.2.* to be able to talk to the 192.168.1.* I decided to change my VPN to NordVPN instead of IPVanish but the results are the same. I followed this how-to to set it up: https://nordvpn.com/tutorials/pfsense/pfsense-openvpn/ My network topology is fairly simple: [image: 1549869729247-d24d461f-d108-4313-af0f-08bdcafd491f-image.png] I have these firewall outbound rules, no other firewall rules have been implemented: [image: 1549869127492-7502fa9b-b037-414f-a699-676babcc9dac-image-resized.png]

And if you don't want to log it who says its still there... Put in a feature request if you want it to put the desc on old log entries that are no longer set to log ;) No future entries will be put in, etc. What if you edited the rule and its ID changed, how would it find the OLD Desc, etc. What if you change the desc, etc.

it still wont work and have even tried to reboot the pfSense earlier today