@viragomann Yes the server in dig command is well pfSense IP (192.168.11.1 for VM01 in 192.168.11.0/24 subnet and 192.168.12.1 for VM02 in 192.168.12.0/24 subnet). So 2 differents network segment. DNS access is allowed in NAT for WAN interface, I can access to it from external PC. In rules, for LAN011 and LAN012 I have this so for me all port are allowed : [image: 1690536613144-capture-d-%C3%A9cran-2023-07-28-%C3%A0-11.30.11.png]

Never mind. I restored from an old cfg file and saw that somehow all my port forwards were erased. That section seems a bit buggy because even after adding them they kept disappearing when I'd add a new one.

@viragomann Its always the simple things that I overlook. The only thing that changed with my network and devices was the pfSense setup. Naturally, I assumed it was something in there. I checked the firewall on the Windows PC I was trying to ping and turned off the firewall. That worked just fine. I tested by pinging a mobile device on the same LAN and it worked fine as well. Ugh, so sorry. Thanks for your help.

@johnpoz Thanks for the advice but it turns out, I am a dumbass... When I said I tried to set things back up on the LANWifi interface separate network and it wouldnt work as it did before? Well I had the ethernet plugged into the LAN port not the WAN port on the wireless AP. Trucks snake, had I spotted my error I would have saved myself hours of messing about.

@yoyoSE156d Go back to Interfaces > YOUR INTERFACE > Static IPv4 Configuration Then set your CIDR range to 24 (or whatever range you want), yours is probably up near 30.

@Airone-0 What part are you not getting about what your client is using for dns? If your are not using pfsense as your dns - then no host overrides will never work. Could you please post the output of say a nslookup on your client asking for your host override. as per my example.

@Gurveer so you try and access 192.168.1.1 from some client on your lan, lets say this is 192.168.3.100 Hits your pfsense to get routed.. Pfsense say oh on my rule use gateway X, your gateway group that you set up.. Now if that gateway is the current gateway it works. But now you try and go to 192.168.2.1, but your policy route sends you to gateway1, which sure can not get to 192.168.2.1 So put a rule above your policy route rule where you have a gateway set.. With no gateway set in the rule. Now pfsense will just use normal routing.. You want to go to 192.168.1.1 - yeah connected to that send the traffic, oh you want to go to 192.168.2.1, yup connected to that and send it on. It is pretty clear in the link I provided.. So either create a rfc1918 alias like in the example... Or create 2 rules that let you go to 192.168.1.1 and 192.168.2.1 without going out any gateway.. And put that or those rules above your rule that selects your gateway group. edit: Example - here I put a gateway on my normal lan rule.. But I placed a rule above that rule that allows getting to any rfc1918 space (10/8,192.168/16 or 172.16/12) where I don't send it out my wan_dhcp gateway.. [image: 1690118226538-example.jpg] But your trying to go to some non rfc1918 network, ie 8.8.8.8 or 1.2.3.4 for example it would go out your gateway. And per your settings in your gateway group go out whatever gateway is currently active.

@pV5 normally if I was locking down a vlan, I wouldn't allow access to the pfsense gui. But what you allow or block is up to you.

@viragomann "Thank you for the explanation, I thought wan net ip was All public IPs."

pfBlocker should work also as it can pull feeds in a few ways. You wrote "online" so I assumed the file was hosted on a web server. pfBlocker I suspect essentially uses the URL Table Alias feature in pfSense for its feeds.

@viragomann I have two VPN clients setup for streaming purposes and redundancy and I assigned devices via static ip's and aliases to use those gateways. Looking over the firewall logs, I see that google DNS servers are being blocked. On a whim, I disconnected the VPNs and I can get it to work. I find it weird that somehow the issue is possible tied to this. [image: 1689778263302-pfsense.localdomain-status-system-logs-firewall-normal-view-5.png] [image: 1689778263339-pfsense.localdomain-status-system-logs-firewall-normal-view-4.png]

@jimp issue fixed, thanks guys!!!

@fernando_om Thanks for the links. If you do decide to pursue a mini-PCIE card, I recommend one based on the Atheros AR9280 chip. And you can get bigger antennas. I use both an AR9280 and 9380 based cards (not half-sized) but the 9280 seems to work particularly well and the 9380 should have 3 antennas and I'm one short there. Good luck.

@viragomann Awesome, thanks for the clarification!

@guardian said in Is anyone using Rogers Ignite TV through fpSense?: I have been avoiding IPv6 because of increased issues around security/firewalling that huge IP space. Actually, that huge address space improves security, as it's d*mn hard for an attacker to find anything to attack. I use maybe a few dozen addresses out of 2^72. That leaves a lot of nothing to attack. Also, most of those addresses are privacy addresses, which change every day. Beyond that, protecting your network with a firewall is pretty much the same as you'd do on IPv4. Is it possible to add an IPv6 vlan to a trunk that has 3 orther VLANs? There are 4094 possible VLANs. However, your equipment will likely limit that. Certainly 4 VLANs should be doable. Like Ethernet in general, VLANs don't care whether you run IPv4, IPv6 or both. I have a VLAN here for my guest WiFi. My access point supports multiple SSIDs and VLANs. Guest WiFi users get both IPv4 & IPv6 addresses.

Hello @NogBadTheBad, It is Google Cloud Plaform. The pfsense is not directly connected on GCP, i have 3 equipments between pfsense and GCP, and we communicate with private ips, not public ip. (Class A) Thanks a lot Andy for your help :o) W.

@viragomann said in Inter-Vlan Traffing Being Blocked: @Deadringers said in Inter-Vlan Traffing Being Blocked: I did “clear states” when tshooting and perhaps this is an artefact of this? Could be, if the SYN packet passes the firewall before this. However, if the client times out due to this it should establish a new connection after a short period of time. Do you have trouble to connect? Hmm i can see traffic flowing just fine now so perhaps something got stuck in an odd state! Thanks again for your help mate.

@johnpoz So in this case, my primary workstation is on 192.168.7.11 and the pfSense has interfaces on both 192.168.0.x and 192.168.7.x. The default route goes through another firwall/router and it may be that traffic is going via 192.168.0.x instead of directly from my workstation interface to the 192.168.7.11 interface on pfSense? It's strange, because I've been administering the pfSense via the web interface by using its 192.168.0.x address, and haven't had any problems. It wasn't until I tried adding :3000 to connect to ntopng that I got the firewall rule firing. This illustrates some of my current setup. [image: 1689181720829-dual-wan-issue-antifspoof.drawio.png] So, any recommendations on what would fix this?

@Deadringers It's possible, but you have to obey a configuration rules: The firewall rule, which is passing the forwarded packets has to be on the interface tab. Check your log. This is not the case. As already mentioned twice, rule on the OpenVPN tab have priority over rules on the interface tab. Refer: Ordering of NAT and Firewall Processing OpenVPN is an interface group including all OpenVPN instances running on pfSense. So remove the pass rule from there and it should work.