@rwarnken as @Gertjan mentions, turning off logging of the default deny can be helpful for keeping your logs less busy. I have it off, and just have the stuff I am interested in logging per settings on the rules, etc. If you run into something not working and you need to troubleshoot to see if say its being blocked by default deny, turning it back on is just a click away.

@abds69 said in Filtering/Blocking & or AppID detection of DNS over HTTPS (DoH) or DNS over TLS (DoT) via Snort/Suricata: with proxing internet flux on each computer Great ! To circumvent DoH .... let's proxy each LAN device .... Isn't that like : to prevent my gaz cylinder from exploding during a fire, let's throw a nuke on it. Btw : the nuke doesn't come for free (neither). @abds69 said in Filtering/Blocking & or AppID detection of DNS over HTTPS (DoH) or DNS over TLS (DoT) via Snort/Suricata: restricting LAN outbound of UDP traffic on 443 Isn't DoH using TLS thus TCP ? You should block also TCP port 443 (and 80)

@vettalex said in Block internet for an ip in a certain interface: block an IP of the OPT network for browsing the internet Knowing that the IP is defined by you, as it is static. @vettalex said in Block internet for an ip in a certain interface: browsing the internet I presume you do this with a web browser. This implies ports 80 and 443. Both TCP. Now, all you need is a firewall, and set up a rule that states the source IP, and destination port 80 and 443, using protocol TCP. You can use pfSense for this

@Firewalldude89 if pfSense hasn't booted, or is stuck on the 'BIOS' prompts as it can't boot, then .... then you have no choice. Like a PC stock on the BIOS level if no boot drives can be found. But, I'm not sure if the "BIOS", or whatever loads and launches the OS found a a drive, has a 'shut sown' command. Right now, my advise shown above is more for the next time. Right know : Contact TCA support to get a firmware for your 1100. Burn it to a USB Drive, see the Netgate pfSense documentation for a step-by-step guide. Insert USB drive into your 1100 and power on. Normally it should boot from the USB Drive, and let you re install pfSense. During all this, you are probably able to retrieve the current pfSense config from your build in drive, before it get totally partitioned.

@ncted I've used pfSense in this capacity before but it was quite some time ago. If I recall correctly I setup pfSense in a filtering/router capacity by disabling outbound NAT rules and setting up static routes on my upstream (internal network) firewall/router so my production LAN would have routes to the pfSense LAN side hosts network via the pfSense WAN interface. I believe I also set my internal upstream router as the pfSense WAN interface default gateway. Also keep in mind that if you disable outbound NAT your pfSense LAN side must not overlap any of your normal production LANs. Hope that helps.

We found a work-around. We had tried doing DNS verification but it kept failing. It turns out that Certify the web had created a DNS entry but then just left it there. So when it came back to renew it was creating a new entry but reading the old one. We deleted all their DNS entries (37 of them) and it passed. So we won't need to do the http verification which means we don't need it to find it's way past pfSense. While this doesn't solve the pfSense question, it does solve our problem so I'm going to move on. Thanks for the help.

@muvaminon said in Design Flaw: Web GUI listens on WAN with no disable: The Web GUI also listens on WAN. And not only nginx, the GUI web server. If you run it, SSH, also listens on 'all interfaces'. Unbound, the resolver, same situation. And things get worse : I'm not sure how many copies of pfSense are being used out there, but it must be 6 if not 7 digit number : they have all this issue. @muvaminon said in Design Flaw: Web GUI listens on WAN with no disable: The commonly advised countermeasure is to change the port from 80 or 443, but that naively assumes that attackers won’t be scanning and analyzing all ports So don't ^^ Security by obscurity doesn't stand long ... in 30 seconds using a GUI - and nmap will be way faster : [image: 1723643312118-2a69c871-9fdc-4f1f-8080-0546643f494e-image.png] No ports open ! (this is the default Netgate pfSense behavior). So no risk what so ever. Case closed. @muvaminon said in Design Flaw: Web GUI listens on WAN with no disable: But, OPNsense has the same flaw so I’m still here Yep, we start to see the trend also The real issue is actually : the human part behind pfSense, also called the 'admin'. Same as this : [image: 1723644220530-61519748-d95d-43a6-988f-6240fb2164af-image.png] The car has a steering wheel.... and you can turn it to the right. You've learned not to do so. Should the wheel be removed ? Ok, sorry, I'll be a bit more serious : I get it, why not double the security by not having the web server listing to the WAN NIC ? It's easy to set up a web server (nginx) config file so it listen to one (pre selected, normally LAN) interface. This is still possible, if you really want to do that. edit : @JKnott said it all using way less words.

@muvaminon said in Bugs: PHP error memory exhausted in CE r2.7.2 and rate limits crashing: @SteveITS Thank you. Its in "Diagnostics/Edit File” That's to edit files on disk. I am thinking of this setting in System/Advanced/Miscellaneous: [image: 1723643488866-b3170729-a5c3-4cae-bc7c-6ef651893540-image.png] Since that exists I would expect it to override, or overwrite, an edited file on disk. Possibly, at the next boot.

@lnr36 Well, you have these 'names', time to grep ?!

@slu said in Changed 5G sim card in modem and now can't open websites: No sure which modem you are using I have a Zyxel NR 7202 up on the roof. Thank you. I will try entering the APN in the morning (need to wait until daylight to change out the sim to test).

It is a general block rule in the above firewall screenshot (the third one). The whitelisting is the first rule, and I expect it to allow access. The interesting thing is that, regardless of what I whitelist, the firewall perceives it as -1. If my IP ends in .11, pfSense logs it as .10. I started to suspect that my mobile ISP (EE) might be causing this issue by assigning an IP of 31.94.64.11, performing some inspection, and then redirecting it as 31.94.64.10. I will test it with another ISP to confirm.

@Gertjan I was able to get to LAN 1 from a host. I was unable to go between LANs 1 & 2 until I had gotten pfsense online with my internet connection. Not sure but that resolved the issue for me. I can now disconnect my WAN and still go between the LANs. But I was not able to do this until I had an internet connection through the WAN first.

Hi @johnpoz, Thank you for your patience. Issue was solved. How ? i put openwrt on DecoM4 and now is working. I do not know why was working from pfsense and not from lan, but as is working now i suppose is was from M4. Thanks! Florin

@johnpoz Found the rule /tmp/rules.debug [image: 1722790731406-screenshot-2024-08-04-at-09.57.11-resized.png]

@sfigueroa first check if it’s https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html

@beatvjiking said in How to silence logging for packets dropped due to IP options?: lots of bonjour devices Noise bots ;)

You don't want to be routing local traffic through a transparent firewall. Replace the Mikrotik with Pfsense. You will end up with a better firewall.