The VPN I use is NORDVPN. Hope this helps.

Problem Solved. Changed setup to a 2-Interface bridge, with Fixed IP on WAN side. The key change was to enable DHCP Relay, and then allow WAN to Pass UDP Port 67 & 68. Now I can filter Inbound & Outbound in the same way as regular NAT Firewall mode.

That resolved the issue!!! You're awesome!!! Communication works now on both AP(s) Thank you so much for your help!! Thank you everyone else as well!!

Hi! I did the next steps: I looked in /etc/inc/util.inc and found the body of function send_message. I saw that function open a file and write a command to this file. If file doesn't exist then function run daemon check_reload_status. 2)But I didn't find the file to writing. I tried manually to run check_reload_status and got error "library libevent-2.0.so.5 not found"!!!! I did next command from comand line ldd /usr/local/sbin/check_reload_status I really saw that library libevent-2.0.so.5 is not found I ran a search of missing library and found other version of library libevent. At the least I created a symbolic link ln -s /usr/local/lib/libevent-2.1.so.6 /usr/local/lib/libevent-2.0.so.5 Now I see that everything works perfectly!!! I rebooted server - everything works! Konstanti! Thanks for your help!

@johnpoz I did something stupid, I based all my testing using nslookup on a laptop (192.168.2.248) but did not include UDP 53 in the pass rule. To simplify the rules for myself I disabled the rule which included the IP alias for TCP 25, 53 and 123 and I created a new rule for only TCP 53 for 192.168.2.248. Now I have edited the allow rule for TCP/UDP and things work as expected. [image: 1548442818009-89ff2cf0-98a6-45b6-b86b-34b4ce104254-image-resized.png] Thanks very much for the info on active states and for helping with my mistake.

After a while the drops have mostly ceased. I guess I just needed to let it settle down. :) It might even have turned out better than before because now the ruleset is fully aliased even for the predefined ports, changing massive quantities of rules now required changing an alias--so, so cool. <3 Why do the emojis get transformed into some lump figures? 🤨 They're odd..like if they melted in a horror movie for kids or something.

@da-brown-m1 Hi, Sorry to revive an old post. I literally have the same setup as you and wanted to know if the DM200 was indeed the cause?

This is from an older version of pfsense, but I'm pretty sure the Firewall -> Rules -> WAN tab reads the same with a brand new default install. I can't easily take a screenshot of mine, since it's filled with a bunch of rules. Those 2 rules listed are default WAN rules, nothing else is allowed to pass thru, inbound. [image: pfsense_rukes01.png] And your RDP out from local LAN network to the cloud should work just fine, if you didn't change, or delete, the LAN firewall rule to allow LAN to any. That rule is also a default on a fresh install of pfsense. Jeff

@kramtw Why are you running the VPN server behind pfSense. It adds an extra routing hop and you have to tell every device you want to connect to on the LAN how to reach the other end of the VPN. Run the server on pfSense and that will be handled by the default route.

Can attest, we have many customer's running SIP behind pfSense. I would look into this article and see if it helps https://www.netgate.com/docs/pfsense/nat/configuring-nat-for-voip-phones.html

I got it to work, by adding a Alias with all the WAN IPs that i need and then created a NAT rule with the alias as a single host/aslias. :)

Maybe you can do some troubleshooting with nslookup. It helps to determine if the dns server knows the correct ip.

Dear sir thx for your help. Can you pleas explain how to (for noob)? switch from "NAT/Outbound/mode automatic" to "NAT/Outbound/mode hybrid" all rules "interface WAN, source LAN, nat adress WAN" set to disabled?

@johnpoz said in Virtual IP without NAT allows for Admin access on WAN: I have no idea why you would think that * is not ALL and or that it doesn't include VIP.. It's not what I think. Its what I can actually confirm. The firewall does not respond to requests for the admin interface on the WAN IP regardless of rules. Seems to me that it would be a nifty feature to do the same for VIPs.

It's working as intended, but perhaps not the way you expect: https://www.freebsd.org/cgi/man.cgi?query=pf.conf&apropos=0&sektion=0&manpath=FreeBSD+11.2-RELEASE&arch=default&format=html#STATEFUL_TRACKING_OPTIONS For stateful TCP connections, limits on established connections (connec- tions which have completed the TCP 3-way handshake) can also be enforced per source IP. max-src-conn <number> Limits the maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make. max-src-conn-rate <number> / <seconds> Limit the rate of new connections over a time interval. The con- nection rate is an approximation calculated as a moving average. Because the 3-way handshake ensures that the source address is not being spoofed, more aggressive action can be taken based on these limits. With the overload <table> state option, source IP addresses which hit either of the limits on established connections will be added to the named ta- ble. This table can be used in the ruleset to block further activity from the offending host, redirect it to a tarpit process, or restrict its bandwidth. The optional flush keyword kills all states created by the matching rule which originate from the host which exceeds these limits. The global modifier to the flush command kills all states originating from the offending host, regardless of which rule created the state. For example, the following rules will protect the webserver against hosts making more than 100 connections in 10 seconds. Any host which connects faster than this rate will have its address added to the <bad_hosts> ta- ble and have all states originating from it flushed. Any new packets arriving from this host will be dropped unconditionally by the block rule. block quick from <bad_hosts> pass in on $ext_if proto tcp to $webserver port www keep state \ (max-src-conn-rate 100/10, overload <bad_hosts> flush global) You specified a rate. Not that it is not a literal count of X states in Y time, but a calculated average. If they connect at a rate faster than the one you chose, on average, they will be blocked, even if they did not explicitly exceed the stated limit over the entire time period.

When you do manual rules to pass with any flags and sloppy state, note that you have to do them twice: Once for traffic entering the firewall, and again where that traffic will exit. So you need a rule on the interface tab and then an outbound floating rule on the WAN or whatever interface it leaves. By default, TCP rules only match on flags S/SA (meaning SYN set, ACK not set), but when you set flags to ANY, that behavior is changed to match any flag combination.

Problem partially solved. Determined it is not related to pfSense. Thread can be dismissed.