@deanfourie said in Simple firewall rules are not working?:

Theres not other way around that right...?

Around what? By default the lan rules would be limited to IPs in the actual lan net say 192.168.10.0/24, so even if you had someone setup 192.168.11.x/23 on their device so that they could talk to 192.168.10.x, pfsense would not allow the traffic, nor nat it to whatever your wan IP is so unlikely they could talk to anything past pfsense.

@Stewart is a new hostname predictable? You could create an Excel sheet to increment the number in the hostname and paste that in. There’s an alias import function but 1) I don’t know if it works with hostnames, https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html#bulk-import-network-aliases doesn’t list that, and 2) there’s an IMHO serious config-breaking bug in 23.05 with it but there’s a patch…look for a post by jimp a week or so ago.

PfBlocker can use ASN blocks to create an alias if you can ID your filter’s blocks. It’d be a bit odd if they don’t tell you; the ones we’ve used have always provided IP blocks.

Dear @viragomann

Thank you so much for taking the time to explore this in detail!

I have now done it in the simplest and for me most logical way. I allow only DNS, HTTP and HTTPS, but this in all networks

a831a9ec-f2da-4de5-9b3d-fbbe2d4eca28-image.png

So it's secure enough for me and yet, the networks can access my webservices.

Thanks for the help and explanations!

Best regards

@nickyw Yes that’s the one. Not sure then.

@onthebeach said in Interface rules - best practices for IoT network(s)?:

Not sure why this needed to be moved anywhere, this, for me, this has been an installation issue and not a firewall issue (I never got that far).

While it might be part of your initial configuration what you're describing has nothing to do with the installation of the software onto hardware but the configuration and, specifically, configuring your firewall.

@Banana4438 said in No DHCP on IoT vlan:

@furom
hope you have good luck with yours.

Thanks! I did actually, (and forgot to mark this as solved). It was indeed a misconfiguration, if I recall correctly it was both my Proxmox networking settings and the Netgate switch that had been set wrong. :)

@mspuckman To me this sounds like DNS.
I let pfSense (unbound) handle it, not using any forwarders. These are the rules I use;
5c891a22-ea23-4a7b-8ff3-9814a3ff0e40-image.png (local_lans is a interface group containing all except WAN)

Then for every network I need DNS, I have a rule like this
8e1e4dc0-755e-4693-9019-525db1a6851a-image.png

This works well for me, hope you find it useful too

@JKnott , @Bob-Dig , circling back to thank you two for this discussion and the ULA guide.

Running 23.05 on a commodity box with per-subnet prefixes for ULAs and GUAs. The latter prefixes are dynamic. Addresses obtained by SLAAC for both, plus static ULAs for machines that need local DNS entries. No NPt or NAT. It works well.

@viragomann Thank you. Having internet not using vpn gives me Japan internet. Not good. I will use your guide. Elmo

@nononsense said in help converting from ipv4 to ipv6:

I have a reasonable successful history of using ipv4 and running a pfSense firewall on this protocol but the conversion to ipv6 seems a mystery to me.
I'm looking for some practical help making the leap to ipv6.
Any thoughts, tutorials, videos, links ideas or advice on practical implementation of ipv6 (in pfsense) would be really appreciated

For the most part, IPv6 works the same as IPv4, but with much larger addresses. Things like arp are replaced with neighbor solicitation, etc. You also don't have to configure anything on the client as SLAAC handles all that. You also don't worry about subnet size, as LANs always have a /64 prefix. With SLAAC router advertisements provide all the info a client needs to work. While DHCPv6 is available, generally SLAAC does all you need. Also, Android doesn't work with DHCPv6. You can thank some genius at Google for that. You should also have several /64 prefixes available, for multiple networks. For example, I get a /56 prefix from my ISP. This provides 256 /64 prefixes. I use one for my main LAN, another for my guest WiFi, OpenVPN, a test LAN, etc. Also, all devices will normally get public addresses, though you can also configure a network to use Unique Local Addresses, either by themselves or along with public addresses.

You will also have to unlearn some bad habits that you picked up with NAT and the IPv4 address shortage.

If you want to get into the nitty gritty details of IPv6, I can recommend IPv6 Essentials.

@gertjan Hello. thanks for reply.
I´m going to try pfblockerng!
:-)

@johan-2 Ah. Not using pfSense as the gateway, then. :)

@steveits Wanted to do a fresh build, clear out any gremlins in the config I have accumulated over the last 10 or so years. I ended up going with a Netgate 1537 1U

@steveits

I did exactly same now question is , I don't want to send request of port 25 via WAN but it suppose to goes via DMZ (MTA) .

@viragomann Appreciate your prompt reply and thank you very much

@kracken64 Sometimes sites/routers will drop/ignore pings if they get busy. Sometimes a hop or two out will work better, sometimes worse.

Thanks so much.
I assumed there'd be a switch hiding somewhere in the configurations.
👍

Thank, this is very helpful :) I have used a few aliases before but will try to use them more. Created one for Spotify now... :)

Edit: But now I want to organize stuff... Can I assign more than one alias per rule? It wouldn't accept that it seems... But would be so nice... (bringing order to chaos) 👍
Edit2: GOT it! I created a new alias and added the ones I already had... Works great! Love pfSense some days! lol Only(?) drawback is I can now only see the other alias names, not their contained ports

Hi,
@heper @Dobby_ How to set/push routes? System -> Routes? Or IPv4 Remote network(s) (configure OpenVPN Server at center 1, or client in 2 or 3?)
@michmoor I can manipulate TCP/UDP ports in center 1, and center 1 has static ip. Two and three, is dinamic, and open the ports is not easy.
Best regards