This is a named interface (WAN2) and can find reference to it in the firewall logs (non-0.0.0.0 source).

@aldomoro Normally, a device like pfSense is handled by 1 (one) person. Everything is logged in his head. No GUI needed. When a device like pfSense is administrated by multiple persons, then the main admin has some preparation to do. Examples : Open a common telegram/whatsapp .... sorry, no, Tiktok channel, and have every candidate explained that every modification should be annotated on this common channel. Or : install the pfSense Notes packages, and have every admin 'note' the date and modification made. Or : don't accept this multi admin situation and ongoing "who did what when" question. Activate the OpenVPN server, and the one and only admin can change whatever he wants, even when he is on the beach somewhere. A "descriptive GUI interaction to a log file" ? While I was thinking about that, I found this : Windows doesn't have thing like that ^^

@BassStation70 strange, ended up having to reboot the pfsense and then it was fine

@NogBadTheBad Thanks for the suggestion... I was only showing the bottom part of the rules for the LAN. The full set are here and I still have the anti lockout rule at the top :) Just trying out your suggestion and will monitor for a few minutes - see which rules pick it up. Thanks. [image: 1693394150300-fa832578-98af-48d7-978a-ca920ecf5187-image.png]

@viragomann Thanks. I only have one external WAN port and several internal networks. I have the default block rule and 2 other rules that were created by PFSense DNSRBL. All other traffic is allowed outbound. I am not sure what/why would be blocking it.

@AirGapped said in Taming Snort with Portscan detection on: @bmeeks If I run Snort with the oink Code on my LAN will this cover my vlans as the Lan is set as the parent Interface? Yes, because the interace is placed in Promiscuous Mode when using Legacy Mode Blocking, running on the parent will also check all VLANs defined on that parent.

@SteveITS I think I'll leave it as it is. I don't want to make my firewall too customized because I'm not an expert at it and then it gets harder for someone to help me when I have problems. For example you know how long I was making changes to the rules and was super frustrated because they never worked? It was probably years before I learned that I have to reset the States tables before any blocks would take place if I was being attacked at the time I added the block. To me it seems like when you save a change it should change everything it needs to change for it to take effect, that the software should do it automatically. But.. .that's not how it works. PfSense is a super strong firewall if you want to spend all the time to learn it and then remember what you learned. But for a small business guy like me I have a lot of other things I need to be doing instead of learning complex details about a firewall. Especially since I won't change anything again for long periods of time and by then I'll have forgotten some of what I used to know.

@johnpoz I just reset pfsense to factory, tried to download jellyfin metadata, and it still does not work. Given that it is now a default pfsense, is there a firewall rule I need to allow jellyfin to access the web? Or is it possibly a proxmox issue?

FreeBSD Man Page for netstat https://man.freebsd.org/cgi/man.cgi?query=netstat&apropos=0&sektion=0&manpath=FreeBSD+13.2-RELEASE+and+Ports&arch=default&format=html Look at the netstat -r section.

@SteveITS That's interesting as I did notice the ip from the modem to the router was 72..... pfsense saw it as 50.... I will try power cycling the modem first. Thanks for the info.

i think as i am writing the response, the knot i my brain untied and i think i know now where i was wrong. i will try it out tomorrow. the setup is 3 IF on the pfsense box (wan, if1 to switch, if2 fallback) the switch should be in vlan 69 and the configuration should be done on the switch not in pfsense thank you for your quick response :)

If you own the CA that issues the certificate, you can generate a new SSL certificate which contains an IP:xxx.xxx.xxx.xxx in the SubjectAlternativeName. (Third party CAs will almost certainly not issue a certificate that has an IP address in the SAN, since they cannot validate an IP address). Then the redirect should work without the client getting a SSL error. Because a third party CA will probably not issue a cert with an IP address in the SAN, this would only work if you own the CA and have pushed your CA's signing root to all clients who will access this server, such as a home network or managed office LAN. Of course, clients shouldn't be using the IP address for https, since it's not practically possible to ensure that the connection is secure. My approach in this case would be to provide a static page that returns a 400 or 500 error and a html page which includes the "correct" https URL with instructions to change their bookmarks or configuration settings, but not do a redirect. They're likely to click-through the handshake error, but then they'll have instructions on how to "fix" their misconfiguration.

@SteveITS the only I'm unsure is, how I could block everything and only allow special domains with it (like PiHole Block Regex *)

@Bob-Dig said in [solved] problems with understanding "advanced" egress filtering: I bet you don't need that vip to connect to your cable modem. When I had cable internet, I could connect without it. True my last cable modem I could without the vip.. But I leave it setup so its easy to show people how to do it if need be.. I haven't actually tested with my new S33 I got a while back.

@JonathanLee no I haven’t setup squid proxy yet. Something I’m looking to do but I don’t know enough about it. Gotta figure out Kali Purple… Yeah Greenbone (dinosaur) is the application I’m trying to configure. It’s one of the first tools to setup in Kali Purple.

Steve and to All, Steve: I see what you're saying, I have 4 "LAN" ports and it only added the rule to one, maybe it just does it during the install to the default LAN port. I guess the idea is of the auto entry is to make sure you have access to configure initially and the rest is up to you. I actually had added my own pass entries previously, so I just ticked the box in system and Voila! they went away. Thanks everyone for your help and suggestions, Scott

@moosport said in Rules to allow Homekit across vlan: If Homekit hub is in IoT vlan, what rules are needed for clients to access the hub? As far as I know, none. If the FW is not being traversed and you don't make any specific block or drop rules then all traffic is allowed. Will this be easier than having separate vlans? Sort of, I have 2 home hubs, one is on the same VLAN due to location, and the other (main one) can't be as it's plugged into my ethernet segment and wired and wireless are physically separate. That doesn't really answer any of my most recent questions though...

@pokrifchakd Bump. Anyone ever seen this before?