@d82k said in Advice to isolate few known hosts on the same network: would it be feasible? Unless the traffic actually passes through pfSense, no. If they're all on the same subnet, the traffic will never pass through pfSense, so it can't have any effect.

@eddiemcdiarmid said in Firewall Advice: Hmm interesting. I don’t have any rules but the managed of the network I’ve named ‘external network’ can see my router. Is there a rule I can add to block them being able to access my network? Seeing your network and accessing your network are two very different things. You say both in your reply post above. The default block/deny rules on every pfsense install for the WAN interface, like @johnpoz talks about above, keeps people/hosts from accessing your network. You don't need to do it, but if you're really paranoid about that external network, you could set a specific block rule in your WAN interface to block/deny it's IP addresses. Again, you really don't need to do it, however. This is an example of the default settings and wording from an old version of pfsense, but I think the current versions still look like this on the WAN interface: [image: pfsense-firewall-wan.png] Jeff

Anyone have ideas?

@kiekar Resolved issue by adding new floating out rule above kill switch. [image: 1546462106767-floating_rule2-resized.jpg]

It would require a change upstream in pf. Proper firewall rule design should be adhered to. I probably can't convince you on this, but my stance and point remains :-) Right, which is why I created 6799.

@girtsj Its the way that particular modem was designed. Ive got one I ran for a couple of weeks before going to bonded service at one of our shops. It was the only way I could make it work.. going from memory. @netblues Since the PPPoe session creates a pipe through the interface anything outside the pipe on the WAN is unreachable from the router without some configuration to make it work such as what is described on the "accessing modem" page linked earlier. If a store bought router works out of the box I have to believe that the manufacturer has built something into that particular router allowing the connection. It would be like creating a leak somehow. I could never make our Huawei work using the information from the modem access page either. But it did work with the ZOOM 15 series modems we were using.

I wanted to post an update for anyone else that may have a similar issue and stumble across this. My plan for the windows static routes did not work at all, it looked like it did at first but within a couple hours print jobs were hanging again. I ended up having an opportunity over the long Christmas weekend to get into the 3rd party Cisco devices and configure a transport network which (knock on wood) seems to have eliminated the issue. The firewall is up and I've been checking the print logs several times a day and have yet to see any errors or hung jobs so I does indeed look like asymmetric routing was the issue. Thanks @johnpoz for the help!

You need to create and apply Phase 1 first to get the IPsec tab in Firewall Rules. -Rico

Yep, that did it. Issue here: https://redmine.pfsense.org/issues/9231 Fix pushed, will show up on Redmine shortly.

gods pfsense save me ))

@yupq6wlc79ts It is possible to allocate them in a separate subnet ( as I have done) or create an alias firewall / alias ( write there all 5 ip) and then use the alias in the rule as a source. Then the rule will be one

And what are you rules on your wan links... By default they would be no rules and everything would be blocked... Only if you put rules on these wan interfaces could stuff be allowed in.. So post up you rules..

How can I keep the "pfctl -x loud" setting active?

thanks.. i think it is the heart of the problem i see, i do not not clearely say what i do: configuring en2 to LAN( virtualbridge1) during install configuring en2 to RealLAN after config loosing all connexion on all interfaces.. i'll be carfull, next time.

Flush your browser cache? Ctrl-F5? You're using different themes. Perhaps try the default one? It shouldn't make any difference but always try the simple stuff first. Anything in the System log when you create a view that doesn't show?

@babiz Sorry! It's my mistake that I hadn't explained my post before your replied. Anyway, I am just posting this report in case it's helpful for Netgate. That is all. Have a good day