Thank you all for helping me. In the end I've managed to make it work. As you said, following rule(s) were necessary to access devices on OPT1 and OPT2 respectively. [image: 1760577607694-4278df83-2799-41fa-a032-8ae0b9205d44-image.png] There are some things that I learned along the way: When spoofing MAC address, don't spoof it on the interface you are accessing the web GUI from. Don't spoof WAN MAC address when connected to internet. Do it with WAN port disconnected. Also, clear DHCP leases on your upstream modem/router. When you already have an enabled interface, but then want to spoof MAC address, delete the interface first and then recreate it with spoofed MAC address. Reenabling doesn't work properly. Sometimes the device you're trying to access doesn't allow access from different subnet. This is the case with my OpenWRT router, but home server works flawlessly.

Yes I reproduced here and asked our devs about it who confirmed the likely cause. Work is in progress.

It worked! I needed to add the NxFilter IP in Captive Portal > Allowed IP Addresses... however, for blocked sites, for example in the Porn category, the NxFilter blocking page is not displayed, it just keeps rotating the browser without accessing the site. I will continue looking for a solution for this. [image: 1760523860187-1dbf1da9-2786-446f-8ac2-30b77b06b1a3-image.png]

Just to prove to myself that I'm not a complete idiot, I have set up a VPS and installed eturnal there. It functions perfectly fine there. (It is not behind a pfsense but I have enabled ufw. To be fair, the setup in my home lab is much more complex than that of the VPS. But bottom line: I can set up eturnal to work. So it would seem to be my inability to configure pfsense.)

I just wanted to follow-up, and not leave you guys hanging. I realized that only Web Traffic needed to be behind the Reverse proxy (for the WebIF), whereas SIP and RTP did not. I am already using split DNS, but I setup one DNS entry for PBX.fqdn that points to my reverse proxy, and SIP.fqdn to point to my actual server. That way, my phones can be directed to the sip server, and my web browser to my proxy. Done. However, since I disabled all IPv6 traffic on my network, I was having issues connecting from outside, as was mentioned. Now, I have the PBX system moved to a $5/month cloud server. Time will tell if it has enough resources to accommodate my usage. It has a setup similar to the aforementioned.

@viragomann Thank you, I appreciate it. The aim is to allow access to my VMs from the WAN side (home network) and effectively use the pfSense device as a router with the NAT functionality enabled for the LAN side VMs to access the internet.

@turku31 so what was it? Nice to leave what you found as the problem, to possibly help the next guy out.

@martinez Thank you for your help and input! I'm aware of several ways that I could handle this, most of which involve opening a port and running a program on either the local or remote side. When faced with the issue I thought, wouldn't it be nice, if something that already exists and is well tested could be "used" in such a way that it solves the problem, without introducing more risk, which is why I asked the question here. If there is no such option using the firewall directly, then a Wireguard tunnel between pfSense and the remote system might be the best option?! Allow incoming ICMP on the Wireguard interface only, block everything else. The connection would be via dyndns entries and will only be active and the ping possible, if the DNS entry is up-to-date, so a simple ping to the pfSense's wireguard interface IP address would indicate dyndns up-to-date. Or are there better options?

@kojol Why would your traffic be asymmetrical.. That is your problem - fix the asymmetrical flow.. So I take it your client is 10.3 and he is sending his syn to this 10.2 box on port 8009 - but that did not flow through pfsense, if it did pfsense would create a state and allow the return traffic (syn,ack). You have a masking problem, you have common L2? When you create segmentation in your network, traffic should flow through pfsense in both directions. If pfsense sees some syn,ack and it never saw the syn to open the state then yeah your traffic would be blocked. If your segments are properly isolated there should be no way possible for 10.3 to talk to your other segment at 10.2 without flowing through pfsense. And same goes for the return traffic. Do have a common L2 network, and a mismatch mask.. Where your client on 10.3 thinks 10.2 is on its network and just sends the traffic there directly. But your device on 10.2 thinks 10.3 is a different network so sends its reply (sa) to pfsense..

I can verify that a (public) wildcard cert does not work, the specific hostname must be present in the certificate. I think this is not really well documented, because i struggled with debugging this a few yahren ago myself.

Just been doing further testing with the SMP disabled via boot loader conf as per the 2020 threads does help. I now just get a split second interruptions to teams calls rather than minute long and network dropouts. And also just a couple of spikes in latency. CPU does spike to 55% but it is now running on one core only due to disabling SMP. So it does looks very similar to the bug reported in 2020 anyone else seeing this behavier?

One more item is that I have an interface group called all_interfaces, and have assigned all my interfaces into that group. All my rules are under that interfaces group. Is that why netflow is only showing sync?

@MtMt Also remember, that access to the RDP server is not allowed from outside of the subnet by default in Windows. You have to configure its firewall accordingly.

@jsseb said in PHP Fatal error: .. but they have been in place since day one. For what it's worth : I'm seeing the same thing : [image: 1759300409504-92aa08e1-c0a0-46cf-b8e6-884b5af6d3c4-image.png] which looks like a floating number, but isn't ... I've 16 of them. Using 25.07.1 for weeks now. So, whatever the issue was, this wasn't it.

I use pfblocker for alias management.. While I do have some other just native aliases. I use pfblocker functionality to manage more complex lists. Example - here is my scan deny alias, which contains some asn's and lists from different locations that scan for open ports like shodan, etc.. [image: 1759247068669-scandeny.jpg] And use another list for stuff that need to allow, that might be blocked by list like scan deny - this list contains country based IP lists, and other lists provided by services like plex and monitoring to know if service is up, etc. Which I use to alert me if something goes down. [image: 1759246930777-allow.jpg] I don't really use any of the other features of pfblocker - but I do love its easy management of just native aliases. You can also easy add just 1 off networks/ips etc.. to your alias you create in the bottom custom section [image: 1759247195644-custom.jpg] When bored or whatever I take a look at my firewall log - and notice something scanning but not in my scan deny list, I will look up the details and normally block the whole netblock, etc.

@Gertjan if I run this little bit of php: $file = 'test.txt'; file_put_contents($file, "BLOCK ANY | No internet via this device". PHP_EOL, FILE_APPEND); The piped text is appended just fine to my testfile, so I think the script crash is more related to the code printing the contents of the filter_reload_status file.

@revengineer the trick is to figure out where it is coming from. Not sure how to figure out what could of created it. But would assume if it labeled it gateway monitoring - that has to come from somewhere. It could be a bug that creates a block vs what I would think a better idea of an allow rule, to make sure you could always ping what your wanting to monitor.. But it doesn't make a lot of sense to be honest, since there is already a hidden rule that allows pfsense itself to do whatever it wants outbound. Which is where the monitoring would come from - ie dpinger. # let out anything from the firewall host itself and decrypted IPsec traffic pass out inet all keep state allow-opts ridentifier 1000016215 label "let out anything IPv4 from firewall host itself" pass out inet6 all keep state allow-opts ridentifier 1000016216 label "let out anything IPv6 from firewall host itself" Other thing about the rule that you posted that is odd - is why would it be logged? Have you looked in /tmp/rules.debug - this is a full listing of the rules, and shows the rules pfsense creates on its own that are hidden, like when you enable dhcp server, hidden rules are created on the interface you enable dhcp on so it is sure to work, etc.

@patient0 Hi! Arris and pre-WAN pfSense are set up for the same IP range on their LANs (but of course they're not connected to my main pfSense simultaneously) and my other networks differ -- there is no IP conflict