@MikeHalsey Hey Mike... I've had this problem... isolating subnets etc... This is a common issue with firewalls and you can find out how to do this in the documentation... Just substitute OPT with WLAN or IOT. Should be all the same. https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/opt-lan.html If you want to isolate individual clients, it has to be done at the switch level. You'll have to find a managed switch that suppoers this feature. ;-)

@zaitz said in OpenVPN client network FW rules: @zaitz I got it. If i add "ifconfig-push 10.10.1.66 255.255.255.0" to the CSO then the client will get a static IP which I can now filter! The tunnel network field is meant for this setting.

@iptvcld This is a known issue that should have been solved with a super recent update to pfB, BUT I don't think that update is working. Under this github post the typo was supposed to have been changed, but in my HA environment it doesn't seem to be working. I'm still investigating. https://github.com/pfsense/FreeBSD-ports/commit/734989ab5809fe5c7bde23a240e717da656775ac @BBcan177 any ideas here? I have an HA setup with this update applied and have validated that it shows "pfblockerngsync" instead of "pfblockerngsyncd" but I'm still getting errors and things don't see to sync.

SOLVED - Needed to create additional outbound NAT rules on site A's WAN2 for site B's local subnets

@Gertjan Appreciate the help and all the examples with screenshots you've given so far, really learned a lot from you.

@SteveITS No, I'm not using the pfb_dnsbl right now. I haven't tried to turn off pfblocker yet so, unknown right now. The only thing I know of that I am using it for is the ip alias to try and bypass the VPN for certain sites. Do you think it might help if I disable it?

@johnpoz I tried to tighten up the rules for the IP Cameras. Would these rules seem reasonable, I know I still have the ! bit and will sort that later but the rest? There are cameras attached to a NVR and a standalone camera, both require 587 to send emails and I opened 123 for NTP. Have I missed anything else?

Excuse me but i haven't done anything yet. LanBo, DmzM, LanB, LanCo etc. etc. are remote LANs that i reach with the related VPN tunnels (see screenshot IPSEC001). I would like the traffic between the various remote LANs to pass through but not mix with the traffic directed to the Internet. And my understanding is that with the "Default allow LAN to any rule", this is what happens.

@mameen-lk said in Unable to RDP using pfSence: Is there any option where we could bypass for a specific host or add a rule in squid proxy Sorry, but I've never used the Squid packages on pfSense. However, I would suspect there is a mechanism for implementing a "white list" of trusted IP addresses. Most packages that do some level of blocking provide a means for whitelisting. You could try posting in the Cache/Proxy sub-forum which covers Squid related questions: https://forum.netgate.com/category/52/cache-proxy. Users there will be familiar with the various Squid packages available on pfSense.

@Krisbe said in Firewall rule interface vs source network: there can be no other source. exactly.. Rules should be as explicit as possible - why would you set any where there can only be staff, so set to staff net

@ryanwhite36 This error message comes from the web server or from a proxy in between. So do you run a proxy?

@pV5 said in Is there a log of all EasyRules?: Today I noticed a bunch of "EasyRules" that were created in my Aliases and Firewall Rules. I don't remember ever adding these but I surmise they somehow got automatically added when I was looking through the WAN firewall logs. I must have clicked the wrong thing when expaning some of the entries. Is there a log file that shows when and were each EasyRule was created? Or another easy way to list and delete them? So far I only see that block rules were greated but I want to make sure that I didnt accidently create any pass rules somewhere too. Uhhhh... FACEPALM moment! Not really... but if you click 'edit' on each rule and go to the bottom it will tell you what user made the rule, when they made it, and who, if anyone, edited the rule and when. [image: 1693874372167-screenshot-2023-09-04-at-7.38.35-pm-1.png]

Gotcha, Thank you!

@provels but hey it's got a cool puzzle inside it to fix still. If it's thrown out it will just pop up somewhere else and have a new victim. https://www.rosevilletoday.com/news/foreign-hackers-target-home-and-office-routers/ A home office router bug has occured in the past in some locations. Leading to the default solution when say the government does start to discover the main threat or issue, is that everything is always timed just right with a math equation so that all the sudden it's "upgrade time" and bingo now it's time to a new system. Like say a fiber optic network. Or, to use that and say we disconnected that old equipment force the upgrades. Leading to that issue occurs again inside all new equipment that again is made in another country with different data sovernity and laws again. After, that has been resolved with what I have coined as "the consumer replacement upgrade mitigation platform" it becomes a throw the bug under the bus replacement plan again with statements like, "that issue was the old equipment, so its time to update!!" This results in tons of e-waste and tons of excuses for who's to blame. A couple months later it's back to the hacked devices as usual and the government it's back to catch up and new training as usual. Or the other solution now is they just silo the guys that find the bugs with a shiney new all in one equipment plan and tell them they can't use their own routers. That way it's harder to catch those invasive actors. Hey, we are all to blame we want that latest greatest product. What this needs programing professionals that can stomp out issues with compliance servers firewalls and code we can trust built with communities. Open source is a good solution, it's starting to get closer to were we are one step ahead of the invasive actors.

@rcoleman-netgate I only asked as I'm showing it to educate the person who insists on using it. I'm aware of it.

@macaruchi said in How to comunicate 3 NICS with PfSense: I have a DHCP NIC3 Huh? If your going to connect a wifi "router" to some interface in pfsense.. pfsense interface would be dhcp.. And to be honest your wifi router should be used as just an AP.. You would put an IP on 3rd nic that does not conflict with wan or lan networks that you want to use for your wireless network.. Now you would connect your wifi router as just an AP.. either it supports that mode, or just turn off its dhcp server, set its "lan" interface to an IP in the network you setup on your 3rd nic. And then connect it to the 3rd nic with one of its "lan" ports.. There you go Access Point. Clients that connect to this wifi you setup via the "wifi router" would get an IP from pfsense, use pfsense as its gateway.. Any network directly connected would auto get added to your outbound nat.. the idea is has 2 Vlans in WIFI Does this "wifi" router support vlans? Is it running 3rd party software on it, openwrt, dd-wrt, tomato, etc. ?

@viragomann said in Setting the correct firewall for docker and desktop communication: Your docker subnet has access to any local network like the LAN now per the second rule. Is this desired? It was more the fact I wanted to go with the blanket approach during setup and slowly narrow the parameters when I had a better understanding. I think restricting this to the devices that actually need access to it is preferrable. @johnpoz said in Setting the correct firewall for docker and desktop communication: personally I wouldn't do ! rule like that.. I would have rule that allows traffic to rfc1918, and then on your last rule that allows internet I would force it out the gateway. I like trying different approaches to help with understanding so I will try this method. And now that I have a setup that works it's going to be easier to test.