Go here :

264159ed-298c-492f-93da-bf0195c5dc91-image.png

and enter IGMP.
Hit the Search button.
Pick any of the recent (last 6 months or so) search results.
read one or 2 of them. Apply what is suggested.

Thinking more about it, I think my problem is that I don't know what "interface subnets" means for IPv6.

Does it mean, "the address of the interface/64", which in my case would be the /56 from my ISP + the prefix configured in pfSense?

I tested this with pfSense Plus and CE and only CE is affected. My guess is that the new Firewall State Policy is not fully implemented in CE right now. Or it is a difference in the WireGuard Package.
Edit: I created a report on redmine.

Working:

Spoiler

Working.png

Not working:

Spoiler

NotWorking.png

Edit: Fixed it by upgrading to plus. 😉

@Uglybrian Thank you so much. My LAN3 is working now.

I had similar setting to yours:
c49a79ef-7b09-447e-bd92-ccc5005d1f1a-image.png

So the changing the "Kea DHCP" to "ISC DHCP (Deprecated)" has fixed the issue?

Thank you both! This was exactly the issue; subnet was configured incorrectly on the device at 192.168.20.4! Thank you!!

@LPD7 If you hover over the 0/0 it gives a summary. It's currently open states, which won't exist for a block/reject.

@LPD7 said in Firewall Rules Not Being Enforced:

require no particular order

I mean yes and no...the order is important for blocking certain types of traffic. Look at the difference between Open and Isolated interfaces here for example:

https://docs.netgate.com/pfsense/en/latest/solutions/netgate-4200/opt-lan.html#apply-changes

@LPD7 said in Firewall Rules Not Being Enforced:

mission accomplished

👍

@clawsonn In my case, I had a bad WAN connection that was triggering this issue. It was also making HAProxy crash. As soon as I disabled that WAN (it was a 4g backup), everything went back to normal.

@Terho said in Safe isolation of device under forensics analysis:

Any other ideas anyone? How to keep danger for my examination laptop minimal?

Use a VM, snapshot it and connect that, rather than the host laptop, to the isolated VLAN. Probably easier to accomplish if you use the latops ethernet.

@flo-0

Good for you 👍

www.amazone.com www.cnn.com www.whitehouse.gov www.apple.com www.microsoft.com www.netflix.comto to name some big players all switched.
google.com adopted it years ago.
Others, like twitter or truthsocial.com have still issues .... ^^

@socrateberserk said in If this is not the right place to post my question, please direct me to the correct one.:

I am unable to properly configure pfSense to allow the use of the SSH protocol

What pfSense does is : routing, and fire-walling : IP packets.
These packets might contain - in the so called payload - fragments of the mail you send or receive, a web server that is sending you a web page you requested, or a DNS answer from a DNS server you've requested zone info.
The SSH protocol is the description of that payload. And because it's SSH, the payload i, for pfSense, a complete random set of bits, and pfSense can't do anything with it, as it is encrypted.
All this boils down to : pfSense doesn't care about the payload. It doesn't use or 'touches' the payload.

Out of the box, when you installed it, pfSense behave like any other firewall router out there : it has a WAN, a LAN, and everything from LAN passes to the WAN.

pfSense itself also contains a SSH 'server' so you can connect to it. By default, its disabled.

I can connect to my web server, a server rented in a data center somewhere in Paris, from a PC connected on pfSense LAN, just fine.
And the other way raound also works : the same server can connect to my Syno NAS on my pfSense LAN also : I opened up the IPv4 port 22 on my WAN with a NAT rule (I've set the source address is the IPv6 of my server. So this is secured.
For IPv6 things are simpler : just a pass firewall rule, IPv6 destination is the IPv6 of my NAS, destination port is '22' and source address is also set == the IPv6 of my server, so also secured.

@abesh

I have pfsense to use external DNS server and i'm running unbound in resolver mode.

428aface-b662-46f8-bc5f-b8a84403ce41-image.png

DNS Resolver:

aebe7f1b-d29b-4b61-96e7-a369f5868321-image.png

@JonathanLee No
Do not put IOT devices behind restrictive firewall rules. It doesn't make sense.

@AndyRH Awesome ! Thank you :) Isn't the setup then sort of similar to one that I started with ?

@TomNick said in Email Client times out trying to reach mailserver in lan:

Mine is on default, still not working

"default" means "System default". If this is set in the NAT rule, the setting in System > Advanced > Firewall & NAT > NAT Reflection mode for port forwards is used.

@snippem

You might consider static addresses on ULA, though I haven't tried that. Unfortunately, pfSense doesn't filter on MACs, at least not in CE.

@Antibiotic it's a new "feature":

https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html#packets-with-ip-options

You can create a rule above the default allow rule, to block it and not log it:

623a0dfd-a921-40f9-9469-3e9c841b7c86-image.png