If your ISP does not provide IPv6 service, then certainly disable those settings. But if your ISP provides an IPv6 connection, enabling that in pfSense is fine. However, if you are not skilled in the networking art, it may be better to not attempt to configure IPv6 because it seems each ISP has their own unique "quirks" in their implemention of that protocol. The other thing I notice in your logs is that you seem to have the "Block Private Networks" setting enabled under INTERFACES > WAN. Your default gateway looks to be in RFC 1918 space (192.168.0.1), so you definitely would want to uncheck that option as shown below: [image: 1700686894688-blockprivatenetworks.png]

@toddehb if its enabled on lan as well, then why wouldn't the rule have triggered on the lan showing you which IP sent the traffic?

@vettalex Facebook has you covered, as they found out how to do that. And even better, they tested it, and 'facebook' went dark for an entire day. Now,you can't do what they did, but the start of a solution to your question is answered : block their "AS". An AS is nothing more as a list of IP addresses. pfBlockerng, a pfSense package, can block one (ore more) 'AS'. Now : up to you : see the video, get to know about what AS really is, get the AS of facebook, and start testing. Go step by step. Btw : the question is very known. Keep in mind that 'blocking a single host', or, blocking a singe IP address from accessing facebook can be done; But what happens when this device changes it's IP ? (by changing it's MAC ?) Questions about blocking facebook are legion. Questions and answers about how to accessing it anyway exist at much (check Google).

@MikeHalsey said in Ports visible to the world behind Netgate appliance: I got into the console and chose option 8 (Shell) You saw the menu : [image: 1699974811556-9c555c32-f3a0-4478-90c9-c078df500430-image.png] Type 8 + enter and you have 'full control'. Then you type (copy past) the commands I've shown above. Btw : not really needed now, but keep in mind that the GUI is just a (several !) layers above the 'real' stuff. Even the command line is a layer, but you can use command that can tell you everything about the system. The golden rule appies : if all goes well, you don't need (to access) it.

Do you have pfBlockerNG installed and configured to autmatically manage its rules? If "yes", then that's probably why. It will rearrange firewall rules when it performs an auto update.

@SteveITS said in Unresolvable source alias after upgrade to 23.09: @infamousbug Just use the ID there: a6cf534d0fa0297547f1e587a12729f9d7066bae There's a URL for the actual patch file somewhere in Github but it's easier to use the ID. @SteveITS @LinkP I got it, thanks for the quick reply!

@uplink said in Guest VLAN Firewall Rule Clarification Please: To me this doesn't make sense, since both the router (192.168.100.1) and my PC (192.168.100.2) are in the same VLAN. I thought as long as you're on the same VLAN, traffic doesn't even hit the router (or it's firewall)? You are correct if device A wants to talk to B in the same network, they don't need to talk to pfsense. But in this case you specifically want to talk to pfsense (for dns). So yeah you need to allow that. Just like if device B in your network was running its own firewall.. You would need to allow A to talk to it, even though no router is involved in the conversation.

@periko maybe you know the solution to this problem? https://forum.netgate.com/topic/183669/squid-ssl-inspection-transparent-problem-witch-chat-on-bing-com

@vmsca said in How to get to see all my IoT devices through VPN connection to remote location: what am I doing wrong? nothing really - but discovery only works on the same network.. Chromecast isn't going to be discovered over routed networks, be they locally routed over over a vpn even locally routed. The discovery is meant to be on the same L2.. Talk to google there should be no reason to not have the option to put in the IP or fqdn of the chromecast so you can cast to it. You shouldn't have to rely on "discovery" that is great for grandma and such - but you should also have the option to set what the IP of the chromecast you want to cast to is on. They design their device so your typical home user with everything on one network doesn't have to know anything and it just discoveries it and works.. Which is fine, but what about those that are not on 1 flat network ;)

@johnpoz said in Port Forward does not work..: But completely agree with you - in my multiple statements that nat reflection is an abomination That's the way I know you. As I mentioned, I didn't read all posts and I missed the reason for doing NAT reflection.

@Dave07186 Yeah, automatic outbound NAT rule generation requires that there is a gateway stated in the WAN interface settings. Without that I wouldn't expect any IPv4 subnet behind pfSense to have internet access, apart from one which is bridged to WAN.

Thanks for pointing me to the ICMP part of the doc, I should have looked there. Another dumb question put to rest. I'll turn off logging for my pass rule (like it was) and leave things alone. Thank you both.

Try using Squid proxy with Squidguard :)