@mcury interesting I will have to look more. I do have usb backup but have had it for a while and this snort issue just recently started popping up. My backup still does work as far as I can tell.

@ddbnj It's probably in the docs somewhere. That one shows when adding a rule. There's an alias for each pfSense network/subnet plus This Firewall.

@Mr_JinX I agree with the possible security problems but i haven't found much negative information on it. Also they won me over because the dev worked on a few of my issues that were not working. So NXFilter has a built in net-flow collector. It wasn't working as i thought and they worked with me on fixing it.
Its in the back of my mind of course that this app hasn't been vetted by anyone(as far as i know) but...so far....works as advertised.
It has an updated categorization system, builtin netflow collector, and reporting (which isn't great). Fills the home requirement.

The issue i have with the suggestion of external DNS services is that you cant track who is visiting what site as all source IP information will come from your WAN.

@viragomann thank you for your responses. I'm not sure I understand your questions fully. Can you break it down a little further? I'm new to all this

@unique_username Presumably you enabled those rules for a reason…?

I would just say, try moving Suricata to LAN which will also avoid scanning all the packets that would normally be dropped by the firewall.

Also if it’s just one IP being blocked you can suppress that alert for that IP.

@GPz1100 I would guess your floating rule is allowing it if/since you're not blocking those ports otherwise. But, you say FTP transfer didn't work?

Passive FTP ports are controlled by the server. Some use all 1024 through 65535.

FWIW I usually prefer two rules just for clarity.

The floating vs interface rule order may be involved here, too:
https://docs.netgate.com/pfsense/en/latest/nat/process-order.html

Yes, its right.
VLANs are sub interface on the ix1, add under: Interfaces/Interface Assignments

@doiiido Thanks -- as much as I held off I just went with OPNSense for my Azure deployments. Hopefully Netgate addresses the issue in CE but I suspect they've blocked Azure Hardware IDs from getting updates if they're not paying and CE got included in that.

Ok, so i got it sorted.

TL;DR : A captive portal was enable and behave strangely on the SSID it was enabled on, wasn't showing when connecting, and cause the NG-2100 to drop packets.

I first tried with a new NG-2100 in a lab, same configuration, and everything worked perfectly, so I suspected an issue with the LAN in production.
I tried multiple thing, got some packet captures, and saw that UDP was working fine, everything in local was working fine, and TCP SYN packets were going out, but SA were block going back
I tried to make an untagged port on the L2 switch with VLAN tag 2U to try without WLAN, and everything worked fine.

I then tried to switch the VLAN on the SSID that was not working to go from 2T as 1U and figured out that there was a captive portal enabled on this SSID, probably from an old config that wasn't causing issue with old router. For whatever reason, the captive portal wasn't showing on this SSID when VLAN tagging was enabled, but was acting weird with TCP requests I guess.

Removed captive portal, everything worked fine.

Notice the same behaviour
It appears an alias containing two FQDN which resolve to the same IPv4 address are not included in the table at all about 50% of the time.

Tested in pfsense v2.7.2

Same problem here. I have an explicit pass rule for IGMP traffic that I enabled IP options on. The traffic is passing (verified with a tcpdump filter of igmp and ip[0] > 69) and yet filterlog is still recording it as being blocked and filling up the logs. The traffic is matching the rule without a log option...

This feels like a regression, but this bug says it's not.

@Gertjan Yea, I know that look fine because its from NetGate docs! Want to warry that as mentioned above you told that rule source LAN can not be for WAN)))

@SteveITS said in Cant create or edit aliases.:

@musicwizard Actually 2.7.2 is the latest.

Are you saving the page with a blank field maybe? It looks like it is trying to write a blank value at the beginning of the error.

i checked the update it said 2.7.1 but it was on previous stable selection. Updating now,

edit:

getting an error during update
updating the EFI loader
install: //boot/efi/efi/boot/INS@fmTwZj: Input/output error
pkg-static: POST-INSTALL script failed
failed.
Failed