Sorry for the very delayed reply, this is the first chance Ive had to do some testing.

It now appears as if its working, although please let me know if I'm missing something, and the only thing I've done is that I restarted the router the other day due to some issues with my internet connection.

I started off my confirming all subnets and IPs were correct then proceeded with the following tests

Desktop 10.100.3.3 255.255.255.0
Firestick 10.100.3.5 255.255.255.0
Mobile 10.100.3.6 255.255.255.0
Tablet 10.100.3.7 255.255.255.0

Laptop 192.168.1.21 255.255.255.0

Desktop to Firestick SUCCESS
Desktop to Mobile SUCCESS
Desktop to tablet SUCCESS
Desktop to www.google.co.uk SUCCESS
Desktop to 8.8.8.8 SUCCESS
Desktop to 10.100.3.1 FAIL (as expected)
Desktop to Laptop FAIL (as expected)

Mobile to Desktop FAIL (Not as expected but research shows this is a windows firewall rule I need to configure)
Mobile to Firestick SUCCESS
Mobile to Tablet SUCCESS
Mobile to www.google.co.uk SUCCESS
Mobile to 8.8.8.8 SUCCESS
Mobile to 10.100.3.1 FAIL (as expected)
Mobile to Laptop FAIL (as expected)

Tablet to Desktop FAIL (Not as expected but research shows this is a windows firewall rule I need to configure)
Tablet to Firestick SUCCESS
Tablet to Mobile SUCCESS
Tablet to www.google.co.uk SUCCESS
Tablet to 8.8.8.8 SUCCESS
Tablet to 10.100.3.1 FAIL (as expected)
Tablet to Laptop FAIL (as expected)

@kineticspl said in Blocking IOT inbound access:

I thought outbound only access was "safe" for IOT devices

Noop.
On the contrary.
With free outbound access you can't be sure what the camera does with all the info (images) it collects.
Storing all these videos on a 'cloud' => great. You really have to trust that cloud storage.
That's why cameras are (should !) be using a local NAS or DVR, with big disks (+UPS because this is /privacy security related).
Or you rent your own cloud "NAS", a place where you are the admin (root ) and no one else. Best would be to open a VPN tunnel between your pfSense and this off site cloud/disk space storage facility.

@kineticspl said in Blocking IOT inbound access:

didn't work locally on my network even with rules in place

What rules ? Where / on what interface ?

@kineticspl said in Blocking IOT inbound access:

I tried googling and found "hole punching"

Also called : NATting (actually PATting) : this is needed so you or some one else can initiate a connection to the IOT from 'anywhere on the Internet'.
This is ok, if it was 'you' using, for example, your phone, to client to 'home' to look at the camera.

Normally, you don't NART anymore. Activate the OpenVPN server on pfSense.
On your phone : use an OpenVPN app.
When needed, activate the phone openvpn app fist : your phone is now connected safely with your pfSense, and you can access all local resource 'as if you were at home' without any security issue.
When done, stop the OpenVPN connection.

@kineticspl said in Blocking IOT inbound access:

robot vacuum

What is that ?

@kineticspl said in Blocking IOT inbound access:

Ideally I'd like to only be able to access these devices locally and not from the outside at all.

That's what you obtain by default.
Put them, IOT stuff, on a separate network, and if needed, block outgoing traffic on that network, with the exception of, for example, NTP-to-pfSense, if these IOT need real time.

@Jake-0 said in Help with bridging issue:

However, after i created the bridge on the LAN interface I immediately lost connection to the Web Console.

This shouldn't happen normally.
Steps to do this: Change the LAN IP to something else in the LAN subnet and access the webConfigurator using the new IP.
Create a bridge and add the LAN and other interfaces to it.
Create a bridge interface, enable it and assign your desired LAN IP to it.
Then you can remove the substitution IP from the LAN interface.

@Hammer8

I experience the same with headscale, a fork of tailscale controller to self-host.

I made an auth-key (that does eventually expire) and register the pfSense node WITHOUT an expiration date. After some weeks it dies and I cannot get it back online without making a new auth-key.

It is as though the tailscale package does

tailscale login

instead of

tailscale up

at random times.

Seeing this on pfSense 2.7.0 with the 0.1.4 tailscale package

Next time it fails we need to go in the CLI and see if there are any clues as to why its logged out. IMO once logged in, it should only do tailscale up and tailscale down, it should not login, logout.

@ASGR71 said in IP Address format of firewall aliases:

within the CIDR range are still getting through!

Like what? What IP and in what cidr do you think it should hit. If your going to create an alias.. Validate that aliases actually populated with what you put in via the table listing under diagnostics.

As to doing this with pfblocker on a sg1100.. Why prob not a good idea to use pfblocker with some crazy amount of dnsbl settings.. Creating some asn based aliases is pretty low resource requirement.

I've had this problem... isolating subnets etc...
This is a common issue with firewalls and you can find out how to do this in the documentation...
https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/opt-lan.html
It will give you a fully explanation than is possible in the forums.

;-)

Hey Tim...

I've had this problem... isolating subnets etc...
This is a common issue with firewalls and you can find out how to do this in the documentation...
Just substitute OPT with WLAN or IOT. Should be all the same.
https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/opt-lan.html

If you want to isolate individual clients, it has to be done at the switch level.
You'll have to find a managed switch that suppoers this feature.

;-)

Things to think about thank you.

I shall look at moving my IOT's to their own LAN.

I quote like a bit of tinkering, that's partly there reason I have pfSense, I'll persevere with Snort for a bit, see how it goes.

@alexmay we certainly appreciate your thoughts and insight on this for sure! What I ended up doing because of the sheer capitulation from port mappings… I created an Alias for the NVR and Doorbell (Lorex Devices) allowed all ports to those two devices only. As much as I loath AWS and Google, the dynamic source port mappings far exceeds my capacity to continue allow/deny round robin port maps.

Maybe I could try allowing ports 5088, 5070, 8080 from the source to those ios but I’m not 100% confident on my ability to get this rule correctly on the LAN side…

@MikeHalsey Hey Mike...

I've had this problem... isolating subnets etc...
This is a common issue with firewalls and you can find out how to do this in the documentation...
Just substitute OPT with WLAN or IOT. Should be all the same.
https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/opt-lan.html

If you want to isolate individual clients, it has to be done at the switch level.
You'll have to find a managed switch that suppoers this feature.

;-)

@zaitz said in OpenVPN client network FW rules:

@zaitz

I got it. If i add "ifconfig-push 10.10.1.66 255.255.255.0" to the CSO then the client will get a static IP which I can now filter!

The tunnel network field is meant for this setting.

@iptvcld This is a known issue that should have been solved with a super recent update to pfB, BUT I don't think that update is working.

Under this github post the typo was supposed to have been changed, but in my HA environment it doesn't seem to be working. I'm still investigating.

https://github.com/pfsense/FreeBSD-ports/commit/734989ab5809fe5c7bde23a240e717da656775ac

@BBcan177 any ideas here? I have an HA setup with this update applied and have validated that it shows "pfblockerngsync" instead of "pfblockerngsyncd" but I'm still getting errors and things don't see to sync.

SOLVED - Needed to create additional outbound NAT rules on site A's WAN2 for site B's local subnets

@Gertjan
Appreciate the help and all the examples with screenshots you've given so far, really learned a lot from you.

@SteveITS

No, I'm not using the pfb_dnsbl right now.

I haven't tried to turn off pfblocker yet so, unknown right now.

The only thing I know of that I am using it for is the ip alias to try and bypass the VPN for certain sites.

Do you think it might help if I disable it?

@johnpoz I tried to tighten up the rules for the IP Cameras. Would these rules seem reasonable, I know I still have the ! bit and will sort that later but the rest?

There are cameras attached to a NVR and a standalone camera, both require 587 to send emails and I opened 123 for NTP.

Have I missed anything else?

Excuse me but i haven't done anything yet.

LanBo, DmzM, LanB, LanCo etc. etc. are remote LANs that i reach with the related VPN tunnels (see screenshot IPSEC001).
I would like the traffic between the various remote LANs to pass through but not mix with the traffic directed to the Internet.
And my understanding is that with the "Default allow LAN to any rule", this is what happens.

@mameen-lk said in Unable to RDP using pfSence:

Is there any option where we could bypass for a specific host or add a rule in squid proxy

Sorry, but I've never used the Squid packages on pfSense. However, I would suspect there is a mechanism for implementing a "white list" of trusted IP addresses. Most packages that do some level of blocking provide a means for whitelisting.

You could try posting in the Cache/Proxy sub-forum which covers Squid related questions: https://forum.netgate.com/category/52/cache-proxy. Users there will be familiar with the various Squid packages available on pfSense.

@Krisbe said in Firewall rule interface vs source network:

there can be no other source.

exactly.. Rules should be as explicit as possible - why would you set any where there can only be staff, so set to staff net