@mathieur geo filtering for something like a p2p prob not a good thing ;) hehehe

You really have no clue to where traffic might come from.. I had sim sort of problem when I started filtering based on geoip and a test plex does for if your plex is available remote.. Some of the testing comes from non US ips, same goes for stuff like uptime robot and status cake.. They leverage global resources to check stuff, and if your filtering to only allow IPs from certain regions you can run into issues.

I just found where these services list what IPs can be used as source of the traffic, and allowed them - the lists of IPs do change now and then.. And just added them to my pfblocker alias that I use to allow.

allow.jpg

But with something like p2p, that would be pretty impossible..

You can grep the file /tmp/rules.debug to search for that rule indentifier as follows:

Execute this command from a shell prompt on the firewall:

and see what it shows.

The file contains the full firewall rule set currently in use by the packet filter. That is an odd-looking rule identifier, though. Not sure where that is coming from. To the best of my knowledge, pfBlockerNG is the only package that creates firewall rules on its own.

@Draikkari said in SSH Problem:

Without you I would start to drink

hahaha - I don't see that a problem either, hehe Whats the old saying.. Can't drink all day if you don't start in the morning..

71zt4H-mZ0L.AC_UF894,1000_QL80.jpg

@bmeeks said in Allow outgoing traffic based on Active Directory group:

I would suggest setting up a pfSense instance in a virtual environment and experimenting with some of the options. Pretty easy to do in something like VMware or Proxmox (or even Hyper-V).

Yes, this is exactly my plan. I installed a 2.7.0 pfSense, a 2012 R2 DomainController, and two W10 virtual machines on my lab, just to test everything before touching the production environment.
Thanks, and best regards,
HeCSa.

There is no direct API available in pfSense for this, but you can get creative on your own by using the FreeBSD pfctl utility documented here: https://man.freebsd.org/cgi/man.cgi?pfctl.

You can manipulate the pf rules directly using pfctl from a shell script. I strongly suggest first playing around with pfctl and any scripting in a test environment. Something as simple as virtual machine install of pfSense using VMware Workstation or even the Hyper-V hypervisor that ships with some versions of Windows 11 would suffice.

Also be aware the rule syntax would be the "raw" pf syntax. That means the rules will not "look the same" as they do in the GUI in terms of how the text reads.

@viragomann must be a bug can it be checked please.

@johnpoz @mcury

Thank you all.

For blocking rules you need to set protocol to "TCP" for the "TCP flags" options to work. I did that now and added a second rule for non-TCP traffic and now I get log entries for all packets but not for TCP packets with other flags than SYNC.

Has anyone else had any experience with this?

@johnpoz first let me say thanks for all your help. We've established and I've implemented the following:

alias' and firewall rules , despite the option to do so, realistically can't and shouldn't combine IPv4 and IPv6. Instead use separate alias' and rules to handle NAT IPv4 as well as GUA IPv6.

The LAN domain name shouldn't be the same as the public domain name, a recommended LAN name is home.arpa.

public-facing servers at myhost.mypublicdomain.com can be accessed from LAN or WAN using firewall and NAT rules. From the LAN only, they can be resolved by pfSense DNS using myhost or myhost.home.arpa. This is an acceptable and expected result. Browser and app URL configuration can function regardless of connection to LAN or the internet at large, pointing to myhost.mypublicdomain.com.

private servers not firewalled and NAT'd are accessible only from the LAN at myhost or myhost.home.arpa, which is also expected. Remote access to these private servers, if desired, would be implemented with OpenVPN to the LAN. They were never expected to be available at myhost.mypublicdomain.com.

All that said, I do have flaky behavior from the Homeseer4 server, where the Android app can connect from the WAN using myhost.mypublicdomain.com, but fails to connect from the LAN using the same FQDN. As this behavior does not replicate with any other of the several public-facing servers on this network, I'm ascribing this to a flaky old Android app.

@JKnott Only if I leave the modem off for more than 4 hours and that only happens during power outages so my concerns are probably a mute point.

@nicber well device on your wan to get to stuff behind that network would have to hit the pfsense IP and be forwarded. And would assume other devices on this "wan" of pfsense are not using pfsense as its gateway.. So if you tried to do routing on this networks gateway you run into asymmetrical traffic flow..

@Bob-Dig said in System Logs / Firewall Not Logging:

You are right, I also can't see it.
I call @johnpoz

Ooops, now I see it... was to late for me that day.

@Rockyuk not really.. It lists IPs and ranges of IPs, that produce spam.. I would take it that is a lot of mobile IPs ;)

Do you allow people to create accounts and create content on your website?

@johnpoz I sure did.

@viragomann

That works perfectly!

If I understand correctly the "URL (IPs)" just read the file and the URL Table (IPs) read the file a download the info in local, so I guess that it depends of the scenary it should be better the Table and have he last state of the file in local in case of internet loss.

About my two main questions, any information?

@vaibhavt said in Static IP works on PC but not on PFSense:

Firewall WAN Rules to allow Any Protocol from Any Source to Any destination

That would allow anyone on the Internet to connect to pfSense via SSH, HTTPS, or any other listening port. Not a good idea unless you like getting hacked.

Try restarting your ISP router/modem, some, especially cable modems, lock on to the first MAC address used.

Is your ISP gateway pingable? If not it may be detected as offline. You can Disable Gateway Monitoring in System/Routing by editing the gateway. Or use a different Monitor IP like 8.8.8.8.