@SteveITS said in Cant create or edit aliases.:

@musicwizard Actually 2.7.2 is the latest.

Are you saving the page with a blank field maybe? It looks like it is trying to write a blank value at the beginning of the error.

i checked the update it said 2.7.1 but it was on previous stable selection. Updating now,

edit:

getting an error during update
updating the EFI loader
install: //boot/efi/efi/boot/INS@fmTwZj: Input/output error
pkg-static: POST-INSTALL script failed
failed.
Failed

@Antibiotic said in Additional protection beyond the basic set up:

Lets say if someone will scanning my pfsense for ports and etc.

And out of the box pfsense would be completely "stealth" if you will - there are no open ports to world out of the box.. So scanning your public IP would give them nothing.

@techpro2004 said in ssh wan block bug:

How do I figure out where the filter logs are from.

What do you mean its right there in the log who is sending the traffic.. For starters I would remove the bridge.. then you can filter on your interfaces where noise is coming in easier to not log it.

May 13 14:00:00 pfSense filterlog[7432]: 2,,,1000000101,ix0,match,block,in,4,0x0,,128,46560,0,none,17,udp,256,169.254.14.211,192.168.1.27,1900,60690,236

This is just pure noise.. You got something with APIPA address, ie didn't get a dhcp address? Sending SSDP to 192.168.1.27..

May 13 14:00:00 pfSense filterlog[7432]: 4,,,1000000103,bridge0,match,block,in,4,0x0,,1,48715,0,DF,17,udp,863,192.168.1.4,239.255.255.251,37810,37810,843
May 13 14:00:00 pfSense filterlog[7432]: 4,,,1000000103,bridge0,match,block,in,4,0x0,,1,34515,0,DF,17,udp,691,192.168.1.14,239.255.255.251,37810,37810,671
May 13 14:00:00 pfSense filterlog[7432]: 4,,,1000000103,bridge0,match,block,in,4,0x0,,1,64642,0,DF,17,udp,691,192.168.1.16,239.255.255.251,37810,37810,671
May 13 14:00:00 pfSense filterlog[7432]: 4,,,1000000103,bridge0,match,block,in,4,0x0,,1,9381,0,DF,17,udp,690,192.168.1.12,239.255.255.251,37810,37810,670
May 13 14:00:00 pfSense filterlog[7432]: 4,,,1000000103,bridge0,match,block,in,4,0x0,,1,49402,0,DF,17,udp,691,192.168.1.18,239.255.255.251,37810,37810,671
May 13 14:00:00 pfSense filterlog[7432]: 4,,,1000000103,bridge0,match,block,in,4,0x0,,1,20481,0,DF,17,udp,818,192.168.1.6,239.255.255.251,37810,37810,798

Also pure noise.. Multicast Discovery of DNS Services is that multicast address - why would you need that noise logged or going over you wireguard connection?

@tina where is the site hosted? On the public internet or behind pfsense. If behind pfsense is the site to be viewed by the public? The only way you can filter the /admin would be with a reverse proxy.

If this is hosted on the public internet, pfsense really has nothing to do with that, sure you could proxy it so your users behind pfsense couldn't go to /admin - but anyone else on the internet could. etc..

Prob need a bit more detail to figure out if what you can be done, and if so how, etc.

@iptvcld No problem - happy to help.. The only thing that gets frustrating sometimes, is man just answered the same exact question 3 days ago ;) does nobody know how to search a forum or even browse a few pages of threads... I get it sometimes understanding the search term can be a problem..

But I do not recall such a question, at least not any time recent..

So when you get a chance I would fully test that his works exactly how you want.. I would for example pull the plug on your pppoe connection and make sure your other clients work over your lte connection except for this one client your wanting to block..

@TheWaterbug said in Firewall Rules across IPSec S2S Tunnel into Segmented Network?:

Curiously, if I add a P2 to allow Things at Main to talk to Things at Home, now PCs at Main can talk to Things at Home.

That's not curious, it's just by the design of the pfSense default rules. On IPSec there is a rule to allow any to any. If you don't want this modify the rule and restrict access to fit your needs.

Basic Firewall Configuration Example

Ater upgrade to 24.03 the issue persist. I thought, that if we will use Netgate generic HW, we will not be in troubles, unfortunately it seems, that nobody care. I do not have this issue on homelabs with non Netgate HW. All 7100 are affected by this issue.

@AmitS what device are you running pfsense on, is it a netgate appliance that has switch ports or discrete interfaces? There are some models of pfsense that has switch ports.. The sg2100 is such a model, it has 4 switch ports and 1 wan port.. You can vlan the interfaces on the witch to be in different network, or you can use 2 in 1 network, and the other 2 in 2 different networks, etc.

You can daisy chain switches if you want, depending on your flow patterns that might be fine. Or you might need to do that for location reasons.

I take it you want to segment your different networks?

I have my main core switch if you will in my computer room.. This has 28 ports, then off that switch there is a 10 port switch other side of the house that has 10 ports. Then off that 10 port switch I have a another 8 port switch that is behind my TV..

I have couple of AP that connect to my core switch, and another one that is connected to my 10 port switch in the AV cabinet. The switch behind the 10 has, a nvidia shield the TV connection and a raspberry pi, etc.

How you connect your switches is up to you and what your data flow patterns would be, etc.. Are these switches vlan capable.. If they are then you can pretty much connect any device anywhere you want and put it on any network.. If they are just dumb switches then you could connect 4 different dumb switches to your 4 ports on pfsense and have 4 different networks this way.

Without understanding your flow of data and patterns, what switches your going to use - are they all smart and vlan capable or also some dumb ones?

If you have multiple 25ge devices that you want to talk to each other - I would put them on the same 25ge capable switch, I sure wouldn't want that 25ge running over multiple uplinks to talk to some other switch on the other side of the building - because you now need atleast 25 gig capable switches in the path.. And then your 2 25ge devices could suck up all the other bandwidth and leave nothing for all your other devices that just want to talk to another device on another switch or just get to the internet, etc.

In a setup for an enterprise - all switches would normally home run back to the core or distribution layer.

But in a home or smb that is sometimes not possible or cost prohibitive or skill prohibitive in running the wires, etc. So sometimes you just have to daisy chain everything, or maybe the amount of data that is going to flow over the part of network doesn't make it important.. For example in my setup it was much easier to just run a cable from the av cab to behind the tv.. And put a little switch there, vs running 3 cables all the way back to my core or to the switch in the av cab. (which would of meant getting a bigger switch for there) etc.. And the tv and pi only have 100mbps connection and while the shield does have a gig interface, it never moves any serious amount of data.. So the shared 1 gig uplink from that switch is more than adequate for the amount of data flow over that connection.

You need to understand what is going to talk to what, and what sort of data rate, how often, etc. For example - just recently setup a NVR and video cameras - while their 4k video streams are not huge amounts of data, there are 3 of them.. constantly sending traffic to the NVR.. It would be stupid to run that data over network path that other data is going to flow over. The nvr has its own poe switch, this nvr connects to my switch in the av cab, and the cameras connect to the nvr on an isolated network behind the nvr.

More than happy to discuss this sort of thing.. If you put together a drawing of where devices are going to be, and what is going to talk at what speeds we can discuss how best to connect it all to optimize the available bandwidth to everything.

@GPz1100 I don't know a direct answer to your question, but I would arrange the rules in order and not try to do that with aliases.

You can use Alias Native instead of Deny Both which only creates an alias, and does not create rules. Then you can create your own rules in whatever order you want.

Quick is on by default for all rules except floating rules. It just means, first match wins.
https://docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html#quick

@viragomann said in OpenVPN interface rules not applied to CARP master IP:

E.g. if you try to access any IP of the backup outside of the own subnet from a LAN device, the packet is routed to the LAN CARP VIP, since this is the default gateway, i.e. the packet goes to the maser node and is then routed out on the interface, which is in the destination network.

Yes, I was referring to the fact that in that case the secondary node sees the traffic as coming from the primary node IP on its same LAN, since is natted, and there is not a block rule in place to access the secondary management IP from the primary management IP.

E.g. traffic directed to the secondary IP comes from the VPN subnet to the tunnel gateway on the primary node, is evaluated against a block rule to filter traffic directed toward "self", but the secondary IP is not "self" for the primary, so it pass and is routed out on the management subnet, natted with the IP of the primary node. There, the secondary would block traffic coming to its IP from outside the management subnet (there is a rule in place), but it appears as coming from the primary IP.

There are more than 50 subnets on this firewalls and quite a bit of rules, so sometimes it takes me a while to get my head around it.

Anyway, thanks for the help. Sometimes all you need is someone with a fresh mind to get you back on the right path.

@bhjitsense said in Unknown Firewall logs after upgrade to 24.03:

We upgraded to my 7100 to 24.03 today. Since then, seeing the following in firewall logs, which had never been there previously. Not sure what is causing this. The local addresses are Apple devices.

Screenshot 2024-05-09 at 2.38.53 PM.png

That’s a ACL rule blocking set it not to log it

@dennypage said in IGMP IPV4 endless log-messages / rules not working :(:

you want to be very specific in the circumstance that you allow IP options.

I wanted to clean my logs. I've chosen the fast way out - not necessarily the best one.

@pastic ^that, but https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#asymmetric-routing

@Jarhead said in None of my firewall rules are working on VLANs:

So the trunk connected to the router won't need vlan 1 untagged but the trunks to the AP's will.

Exactly you can have more than 1 uplink from the switch that carry different networks/vlans - if you have free ports on your switch and router this actually good idea, now if you have intervlan traffic you don't have to worry about hairpin, as long as you don't put the uplink on the same physical.

So for example.

uplinks.jpg

So you can see vlans are on my igb2 interface, there is also an untagged vlan on this, this is vlan 2 on the switch.

igb actually goes thru my switch as well, this is vlan 99 on the switch untagged and from another port on the switch untagged in vlan 99 goes to my modem.

Lan is untagged goes to vlan 9 on my switch.

All the vlans that are tagged on on the switch igb2 plugs into. These are all wireless networks, and there is no intervlan traffic between them if talk to them, its from say my lan network.

Roku is also a wireless network but this is where all my media players are and no need to share bandwidth the other wireless networks and I had spare ports. Then dmz is another untagged network

if you have the ports on your router and switch, nothing really needs to be tagged, they can all be untagged native networks on pfsense. And then untagged in whatever vlan those networks are on your switch.

The only time you have to tag is when your going to carry more than one network/vlan over the same physical wire.

Yup if you don't need to filter between the bridge member segments that's what I would have done. 👍

@johnpoz The last one was the one I applied. Thank you

@johnpoz Ok its working now. Just want to thank you and everyone else. It was the power cycling that was the problem. I had no idea you needed to do that.

Yeah with the old one I never needed to take that step so I was totally in the dark.

Thanks again ya'll.