Hi and thanks for your reply, I recently raised another thread on my setup not working. Thread 140443

Why can you not just leverage the Mik as AP? Then use pfsense as your edge firewall/router and for routing all your internal segments. This will give you insight and control over your internal network and to and from the internet. Just leverage the Mik as wireless. What specific model do you have?

@qball Since you're behind NAT, you need to use an STUN server to tell the other end what your real address is. There may also be some issues with maintaining the path through NAT for UDP.

I'd setup Site to Site VPNs with your home 100/100 as hub, your can route/NAT any traffic inside the tunnels back and forth like you want/need. Which coin are you going to run? -Rico

Have a look at Diagnostics Arp Table and NDP table

@derelict said in Got a lot of Default deny rule IPv4 (1000000103) from WAN, am I got hack?: Still have a working (sort of) Altair 8800 in the family. The IMSAI was a better quality clone of the Altair.

What about the rule's "tracking id'? You would still have to have to use something like Logstash to match the tracking ids to descriptions though. Your post got me curious so I tried it out. I created a CSV file from this one-liner and used the Logstash Translate filter plugin to map tracking id's to descriptions. As long as the fw rules are fairly stable, it's no too much of a pain. pfctl -vv -sr | grep USER_RULE | sed 's/[^(]*(\([^)]*\).*"USER_RULE: *\([^"]*\).*/"\1",\2/' | sort -t ' ' -k 1,1 -u Here's a screenshot from Elasticsearch alerting on my country blocking rule. Logstash added the description field. [image: 1549271346645-c7e0c7c3-547b-4be3-8ccb-26a5d094e18e-image.png] note: credit for the sed command goes to this guy on SO.

OK, nevermind. I sorted through this. Took getting another computer up and onto the camera network to make sure things were working the way I wanted and took a bit to wrap my head around the rules for the camera interface as this was a bit more involved than my IOT implementation.

I decided to use my own dns server as domain override. To test the DNS server i tried it directly, $ nslookup > server 192.168.1.166 Default server: 192.168.1.166 Address: 192.168.1.166#53 > delta37tatasky.akamaized.net Server: 192.168.1.166 Address: 192.168.1.166#53 Non-authoritative answer: delta37tatasky.akamaized.net canonical name = a1279.w10.akamai.net. Name: a1279.w10.akamai.net Address: 122.15.34.35 and it works as seen above. Next i changed the Domain override as follows, [image: ju2P1Me.png] But nslookup fails to work $ nslookup > delta37tatasky.akamaized.net ;; Got SERVFAIL reply from 172.16.1.1, trying next server ;; connection timed out; no servers could be reached Any idea what is wrong?

Hi Steve, thank you for your reply. I actually forgot that the NAS still had an active interface in the same network my mobile phone is connected to. Since the phone uses the NAS-IP in the .10 network but both phone and NAS were in the .15 network the TCP connection got messed up. If only Synology would allow to bind sevices to one or more specific interfaces... Anyway, now it's working. Alex

Yeah better to avoid tagged and untagged traffic on the same interface if you can because of exactly this sort of issue. There's no reason why it shouldn't work but I suspect the switch was not doing the expected thing with the untagged traffic. Steve

@stephenw10 Most likely alias WAN was created Therefore, the error appears It is easy to check just see the output of the command cat /tmp/rules.debug | grep WAN

That's a great link that clarifies some things (my basic understanding in my previous comment seems correct), thanks! Still wrapping my head around the parts in slide 15 & 16. When my loud kids are in bed, i'll check if the video explains that part simple enough for me :)

@yupq6wlc79ts Tell me more about the problem. And show the output of the command from cli ifconfig -m

Hi @cyberminion, At Firewall > Aliases, there is an Import button on the bottom. Paste in the aliases to import separated by a carriage return. Common examples are lists of IPs, networks, blacklists, etc. The list may contain IP addresses, with or without CIDR prefix, IP ranges, blank lines (ignored) and an optional description after each IP. e.g.: 172.16.1.2 172.16.0.0/24 10.11.12.100-10.11.12.200 192.168.1.254 Home router 10.20.0.0/16 Office network 10.40.1.10-10.40.1.19 Managed switches Thank you, -James

Sorry, still not grasping it, as the source is not from my private subnet and not on the WAN interface, but a private interface (WLAN) how can it be inbound? Or do you mean, that 192.168.5.68 tries to access and 40.76.xxx.xxx and when 40.76.xx.xx wants to setup a connection it's blocked? I thought established connectings are not been blocked so what default deny rule is it? [image: 1548952020854-sh183-jan.31-17.22.png]

Okay, the problem was the router had Firewall rules and no NATs. I deleted all the rules, created NATs and linked rules appeared. Strangely, when I access www.domain.com from inside the LAN, the pfSense login page appears, rather than the website?

You may not use IPv6, but other devices on that segment might. Capture the traffic and take a closer look at the source. See if it's from a MAC address on your network, or on the ISP gear. It's likely some other client on the same WAN segment making the requests. Depending on how the ISP has constructed their network, it might be another customer on the same segment as you.

@maverick_slo this means not that the same value is ok in your network. Try to go down further....

bmeeks...Thanks for the reply. I just checked all of my Suricata logs and the DHCP reservation IP address I have set for the smart outlet could not be found. It's good to know Suricata isn't blocking the smart outlet. NogBadTheBad...I do have the latest Apple TV, it's a 4K; I checked the model number - A1842 (64 GB). I wonder though if you have to enable Homekit in the Apple TV? Maybe there is a setting for that? UPDATE - I didn't have two factor authentication enabled on my iPhone. That was the issue. I had no idea you had to have it enabled for it to work. The smart outlets now work while not on my home network.