@viragomann About Windows. I explicitly enabled its firewall rule "File and Printer Sharing (Echo Request - ICMPv4-In)" and set the Scope to "Any IP address". In order words, the Windows VMs allow ping from any network. I've just found that it's not only firewall doesn't work. Diagnostic ping from pfsense to the problematic Linux VMs also failed. In the previous post I said the issue happens after restart the VM. In fact, down and then up the interface also trigger the problem. I think the only thing that still work is the Linux VM can get IP address from pfsense DHCP. More about Windows VM . Right after it restart, it has the same problem as the Linux VM. However, in less than 10 seconds, its problem gone.

@Firewalldude89 Start by not allowing non trusted people on your networks. And if you have to, put them on a separated network, with no access to pfSense itself, neither your trusted LANs. And if the networks are not yours, the problems isn't neither.

@p2ranger @michmoor gave the link where it is explained for pfSense but it is not timebased: server: access-control-view: 192.168.1.69/32 blocksites view: name: "blocksites" local-zone: "youtube.com" static I don't think that there is a more integrated solution for youtube.com in pfBlocker. You can force save search for youtube though.

@johnpoz Yea sorry just after I posted this I figured out it was WARP haha. WARP was being blocked and obviously falling back to use IPsec etc. I opened 2408 and away she goes, problem solved. Also, I've not had to open 2408 before because usually I am using WARP with zero trust, however this is not supported on Linux so now it is using 2408 which is new, hence the confusion. Sorry my bad.

@pV5 said in Need help with access across VLANS: 25 minutes ago I used Packet Capture and could see the request going to the AP and switch but nothing was coming back. I could see PFSense sending them ARP too but no response. This means the pfSense is not getting a response to find where that IP might be so it is not passing them. Usually this is caused by A missing device -- does not exist and thus cannot be foumd A mis-configured VLAN -- when you know the device is there but it's not getting an ARP validation then the likelihood is a VLAN issue. Could be on the pf, could be on the switch.

@Gertjan said in Seems that hacker is inserting a foreign DNS into my computer, how to remove it?: Like : if your WAN upstream / downstream is 100 Gbits / sec then a 'miserable' (still consequent) 10 Gbit sec DOS/DDOS won't even ne noticed by you. The only caveat i would add is that the resource utilization of the firewall will be impacted. As far as I am aware there are no built in protections to protect the firewall(pfSense) itself from resource exhaustion if a ddos attack occurs. Typically there are "Zone Protection" features in other products that limit the amount SYNs or UDPs that are allowed. Otherwise inter-vlan traffic on the firewall will be impacted because of a ddos on the WAN.

@furom Hummm. Install the Tiktok app, and call me back ^^

@johnpoz said in stretchoid.com IP list for use in blocking their port scans: @Bob-Dig what were the ips? I already deleted the log file so I can't tell. But when I looked, they were almost identical to ones, which were already in PRI1.

@pokrifchakd Very much depends on your level of control on both ends of the transit network. If I have full control of both ends (and the interfaces there), I use ANY-ANY for transit and control access directly at the clientfacing interfaces. If I do not have full control of one end, I use the incoming interface on the transit link at the other end as a "defacto" client filtering interface.

@pV5 said in Very High WAN Traffic When No LAN Activity: Where in PFSense can I find the log of the default WAN deny ? In the normal firewall log.. Unless you disabled logging default deny? Then all traffic blocked by the default deny on any interface would be just in the firewall log. [image: 1691339756891-logbackets.jpg] I have it turned off - because I have specific rules to just log what I want to log, ie only syn packets for tcp and only common UDP ports. Seeing all of the noise would be kind of pointless. But I am interested in specific traffic. yeah mine shows IP ranges that are not in my /21 I get from my ISP for arp as well. It seems many an ISP like to run multiple layer 3 on the same L2.. But all of those arps would account for your blinky blinky lights.

@SteveITS, Thank you that was helpful. So I will plan on moving to Suricata on the 8200 when I get it all set up. Phizix

@johnpoz It's in our network traffic along with a full encoded form, a ton of code and our router credentials including the wan mac address, and the devices on our network. I specifically captured it in our lan / ethernet with Wireshark. They even included our email address associated to the ISP that is logged in our router details. The .isp.com email address. Does that help?

@unraveller349 More storage on my device and keeping it there, or spinning up an rsyslog locally on VM server(s). But I ararely ever need the data for anything.

@Bob-Dig Yeah I clearly didn't see that though lol. @tknospdr Interesting, trying to figure out in my head what would be causing that without reply-to disabled.

@chiel This is a known issue and was already discussed here. The alias "This firewall" covers only the IPs of the respective firewall, not these ones of the other node. So if you try to connect to the WAN IP of the backup from inside your network, the packets go out through the master, since this is the default gateway, and are accepted by the backup if access is allowed on WAN, which should not be the case anyway. To cover also the other node, block access to "WAN net" on the LAN interface.

@viragomann I see now. I actually started with a rule in that section, but it remained in 'disabled' mode no matter what I did. I was missing the info about changing to hybrid mode. Also, I just set up a host override for the name of the router too, and that also works now. Thanks!

@tknospdr sure!

@ryanwhite36 I had a similar issue recently trying to reach the GUI of my WAP. I ended up turning on NAT reflection in order to get around it but if there's a rule that works I'm sure the fine folks here will help you out. You can see my whole conversation here.

Not much info u share about our issue. Do u have test connection with bandwidth web page? exist a lot if u google in seconds. What is your isp up/down speed? Are u wifi or wired? Is pf your dns or have another dns in the network? is your dns resolution good? What services u have in your pfsense box? If u remove pfsense, you have good speed? DoS, have u a probe or is just a idea you have? what is the speed of your switch? what speed u have in your interfaces? have u test with ping a external domain like cisco.com, does all the packets return(at least 1000 for test)? Regards!!!