@keyser That might be a good idea to test next time my friend is abroad. Thank you for this tip!

@viragomann I've been using the failover gateways for about 2 years. Monitoring has been setup and working for a long time. Seems no matter what I do though, the rules do not care what gateway I define. It just uses the group regardless and fails over to the cellular ISP. Not sure where to go from here.. I tried this on a completely fresh instance of pfsense in a test environment too and it does the same, so I'm sure it's me doing something wrong. It should be as easy as make a pass rule on LAN with IP as the source, any as the destination, any protocol and set the gateway under advanced settings to either the WAN you want to use or the gateway group you want to use. Put it at the top of the list, save/apply and reset the firewall. Is this not correct?

@johnpoz thank you again for the OpenWRT recommendation. It is amazing, I have it running on an Archer C7. Never going back to the stock firmware it is amazing. I am perplexed at how they got that to run on such a small set of code. Just wow!! (I still love my pfSense never leaving it) but I got to tell you OpenWRT can hold its own with the 7000+ packages even my favorite Squid is on it.

@radiostyrd said in pfSense blocking icmp from my gateway ip every 30 seconds.: Is this normal? Depends on you. It's like having your front door right in front of the play-ground of a school. Don't be surprised that your doorbell will 'ring' every minute or so. Or, at home, you shut down the power to the doorbell push button, and problem solved. With pfSense, you tell the default, hidden final "block all" firewall rule to shut up : [image: 1721394231347-ec607004-0090-4353-a2fa-b30c8ed92764-image.png] Internet is full (loaded) with traffic trying out any kind of host, to 'see' if some 'port' is open .... and that that's fine, that's how things are these days. Just let them hit the fire wall. That why you have the firewall in the first place. @radiostyrd said in pfSense blocking icmp from my gateway ip every 30 seconds.: the firewall logs that pfSense blocks ICMP (ping?) from my gateway ip every 30 seconds. In this case, take some extra 2 minutes, and see who is sending the traffic. Where it comes from. Internet traffic is like an postal envelop using by you when you sue the original snail mail services : on the outside, there is the destination address, and the sender address. (that is, it used to be like this in the past, these days that's less done for whatever reason) If the sender is, for example, your ISP, there might be a reason that they are doing this. Like : (just joking) : as your equipment doesn't' reply to the ping, the ISP considers your equipment down and they stop your connection ^^ If the ping comes from your neighbor : go ask him ?!

Thank you to everyone who contributed to this thread. You helped me get my VLAN working and appropriately secured and isolated.

@Bob-Dig That's what it was, thank you.

@willyd said in pfBlockerNG "broke" the firewall . . .: Is there such a think as "closing" a topic on this forum? No. You may be able to edit the title.

@Silentknight plex is a simple port forward.. I sure wouldn't enable UPnP.

@JonathanLee The concept of "port 0" was probably be introduced to make people aware of the fact that a protocol like ICMP doesn't use a "ports". Dono why "0" was chosen. N/A is probably also a good choice. Or a "syntax error". Remember : Gybson had to make pure rocket science (back then) clear to the public.

@SteveITS ^ exactly, I do this for services I share to the internet.. Works great.

No responses? Are my rules really that bad?

@CharlesT there is no difference..

@CharlesT said in Help needed with network design (Client isolation on same subnet): I’ve been trying to isolate a single device from communicating with other devices on my network while still reaching the internet. Some switches can be configured to do what you want.

@johnpoz Quick question, slightly off topic. I set up a OpnVPN client last night, which works fine, eventually! However, with regard to how I have now got the DNS resolver set up, is there anything I should do regarding DNS i.e. use the VPN suppliers DNS or leave as is ie. Down to Pfsense? Also, was looking to add multiple OpnVPN clients into Pfsense for different countries, which will be useful for the upcoming football season, currently I use a vpn app on the firestick to change countries as need be. Whilst I believe multiple VPN clients is relatively easy, is there an easy way to switch between them at will? Thanks Steve

@Gummi again broadcast traffic isn't going to pass your router.. Your not going to get name resolution via that across subnets. What rules you put on pfsense isn't going to matter.

@johnpoz And now that it's pointed out it's so obvious why it's not working. Apologies, looks like I'll have to go back through the config history to see when the NATs were updated to have a source port. Thank you kindly

@T2M5 said in IPsec over VIP CARP IP: Thanks a lot for the help, have a great day bro. glad that it worked, good day for you too bro