@Gertjan yeah I don't run dnsbl service, I just use pfblocker for alias creation that I use in my own rules. Just wanted to explain what he was seeing with this ps command, it didn't find anything via his grep

If I’m not mistaken, the issue you’re facing is not caused by your configuration but by a limitation in the Asus router firmware. Even with NAT disabled, firewall disabled, and correct static routes, an Asus router operating in Router Mode does not allow routing from the WAN interface toward the LAN network. The WAN interface always treats the upstream device (pfSense in your case) as “Internet”, which means it blocks any attempt to reach LAN clients in the 192.168.50.0/24 subnet. This is why you can ping the Asus WAN IP from pfSense, but you cannot reach any clients behind it. If you need full communication from pfSense to the devices behind the Asus, the only supported solution is to run the Asus in Access Point Mode, so it becomes part of the same LAN (192.168.10.0/24). For the use case you described (Portainer, Docker, InfluxDB, Grafana), a separate subnet is not required. In AP Mode all services will be directly reachable, and pfSense’s Telegraf can send metrics to InfluxDB without any routing or NAT-related issues.

Thank you @SteveITS for the reply. Yes this is for the VLAN20 interface. DNS is working for its devices when the first rule's gateway was "failover" and also when this is now set to asterisk. I have finished setting the first rule of all VLANs from gateway "failover" to asterisk and everything is working. Thank you for this clarification.

@JonathanLee For myself, I've just one open port on my WAN (both IPv4 and IPv6) : "1194 UDP" also known as OpenVPN. RDP, SSH, MySQL etc etc etc etc are all on the 'never ever expose these on the Internet' list. Don't worry about IPv6 scans. It's like looking for and counting stars in the galaxy, looking for planets and live on it ^^

@SteveITS that's right. The two switches not being accessed are L2/L3 and lost the internal VLAN routing. I re-enabled it by accessing from VLAN1 and re-adding an IP on both Switches' VLAN10 interface: both got accessed again from VLAN10 devices. Now I'll properly go (hopefully) through ACL settings to limit access to some devices only. Thank you very much for pointing me in the right direction.

@johnpoz thanks. I should of google it first. i found the answer on an old thread. For the benefit of somonelse and possibly me, i will say look in the table of diagnostics and there will be an entry named after your alias. I only had two fqdn entries . i dont know what happened. it just started working after i deleted it then recreated it. Maybe it got corrupted somehow. i didnt know about diagnostics then so I didnt have a look

@johnpoz said in using domain name in rules: since are you not in the EU? Afaik, France, where I am, is still part of the EU

@bmeeks said in Best Suricata version for IDS + AI Anomaly Detection on RPi (16GB RAM): Not good to run a mail server on your firewall. Oh shit - it's not, damn now I have to redo a bunch of stuff.. Just a joke - hehehe

duplicate of https://redmine.pfsense.org/issues/16750

@pierob83 blocking based on categories, global blacklists sound like you want pfblocker package. It has blocklistss you can pick.. As to an IPS, that would be snort or suricata packages. pfblocker has block lists you can pick, but its not a url based filter, for that you would need proxy, squid for example.

@JKnott said in Allow traffic to ff02::: @fabnavigator ff02:: is all routers on the local link. It is not supposed to be routed. ff02:: is local (link) scope multicast. ff02::2 is all routers. Here is the assigned list for reference.

@mic.bummer said in ERR_CONNECTION_RESET_: geometry dash Hi forum, i have problem with web site b2b.resortlife.travel. I have different network, external ip-s, cities, local vlans adresses, but pfsense in all gateways, with different versions tooo, yeah i will update all soon. I test that on 2.7.2/2.8.0/2.8.1 versions. i already try traceroute, telnet, ping, Test Port, all tests successful, firewall show allowed 443 traffic from lan/vlan networks to this site in system logs firewall. i alreay try change settings of Disable hardware checksum offload Clear invalid DF bits instead of dropping the packets dns resolve ipv6 and ipv4 adresses, and i alredy try write adreses ipv4 to host file of client... in all browser site open icon on tab, slowly loading and show error: ERR_CONNECTION_RESET how more i will resolve that? i have this error just with that site, you will try on yout pf... site open from other firewalls, like a keenetic, huawei, d-link thanks... Since ping, traceroute, and port 443 tests work, but the browser shows ERR_CONNECTION_RESET, the connection is being reset during the TLS handshake — not blocked. I think the main reason is Snort / Suricata (IPS) → temporarily disable and test. You should try disabling Snort/Suricata and pfBlockerNG. Go to Diagnostics → States → Reset States

@KOM First of all, this is a work in progress for me. I've only had pfSense for about six weeks. In that short time I've been able to see how chatty so many of my devices are. I had no idea what they were all up to. By creating rules and seeing what sort of traffic is getting blocked I've been able to get some visibility. Do I really need some of what I'm doing? Probably not, but it's not giving me headaches. This isn't my real job, just a hobby. I have VLANs for the devices I really don't trust (smart TV's and IoT devices), but I have a number of Linux servers that I basically trust, but I'm restricting the ports they can use to get to the Internet. I also have a couple of Bose WiFi speakers that I don't trust at all, but couldn't get them working when they were on a VLAN. They are on LAN but I created a rule to only let them do what they need to do. No Internet access for them.

@KTDavis well glad you got it sorted, and nice to see you wanted to lock it down, not just icmp any ;)

@JonathanLee said in OpenVPN TAP firewall rules.: @Jarhead any any rules scare me you got to know at lease a source or destination Exactly my point. What would the destination be when it's the same subnet as the source? The only difference is it's going through the vpn tunnel but the other side is still the same subnet because it's a tap tunnel. I would think it wouldn't need any rules.

@JamesBCSD said in Allow traffic from port 0 from a specific IP address: replaced the router with pfSense that makes sense then - routers not going to care what source and destination ports in play - its just routing ;) Yeah its possible you could pick up a little mini pc refurbished for cheaper than a pi.. Mine sure are not fastest horse in the stable that is for sure.. More like the slowest/oldest mule inline to the glue factory dragging its feet because it knows where its headed.. But it can do what want it to do ;) Sure wouldn't need much to run syslog in relay mode that is for sure.. A pi zero would prob be all you would need.