@keyser Thank you and I figured it out. It wasn't set for auto. So I selected auto and then my speed tests all went to 900+ and I could tell my internet was a lot faster.

@clevercompiler Hi, I switched to the devel version, but that didn't help. It ran for 6 hours or so, I am still getting notifications of crashes. Thanks anyway, Mario.

@DEHAAS I believe I have found the problem to be routing related. A state is created for a wrong path as the correct path does not exist when seeing the first packet. The correct path is learned later via OSPF, but the old state is not cleared. I have created a separate thread in the FRR package section of the forum: https://forum.netgate.com/topic/181321/state-not-cleared-after-routing-change. It appeared as some UDP traffic being dropped, as this was the only traffic which had a state created before routes had converged.

@viragomann It's still showing the same, while trying to access through web Configurator. It's getting ping to only it's IP Address not to another connected system. As IP Address - 192.168.0.190 is unable to ping, if I gave Static IP to LAN connected system. [image: 1688647217478-screenshot-from-2023-07-06-18-08-12.png]

@rcoleman-netgate said in Access internal devices from pfsense: Just because it is there doesn't mean it's quality. hahah - it is based off openssh, I have used it, it works - just use to securecrt.. But that statement is quite often very true ;)

@Finger79 I get a 503 error when hitting https://ransomwaretracker.abuse.ch/ from pfBlockerNG and the web. Temporarily down? Are there other ransomware tracking feeds for pfB? I didn't see any that specifically listed ransomware.

@thibaut-frantz Possibly there was an error loading the ruleset? Next time see https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#new-rules-are-not-applied "Second, the ruleset may not be reloading properly. Check Status > Filter Reload to see if an error is displayed. Click the fa-refresh Reload Filter button on that page to force a new filter reload. "

Amazingly, I now tried the following and it works: I do everything in the guide (https://support.adamnet.works/t/running-on-a-transparent-pfsense-bridge/79) up to the point where I am supposed to set the LAN interface to have no IP. I do NOT set the LAN interface to have no IP but rather do everything described after that point. Then, at the very end, I set the LAN interface to have no IP. Not sure why the guide does it in the wrong order? Maybe they have > 2 NICs and can reach the web interface on the third one?? I don't know but it kinda makes sense that the web interface would not be reachable from the WAN side if there are no firewall rules configured, yet, to allow that? Of course the web interface won't be reachable with only two NICs of which one doesn't provide DHCP service (the LAN NIC) and the other is likely blocked by default to allow the web interface (the WAN NIC)....

@sierrastar said in Isolating wireless devices with firewall rules while using a private DNS server: Is there a way to set the firewall to block all traffic from private addresses except for a specified address? Or am I possibly going about this completely wrong? I just want to be able to quarantine devices but allow them to access the internet, and still be able to filter their traffic through the pihole. With pfSense you don't block from *-addresses but to *-addresses for the most part, so I guess you have a problem with your rules to begin with.

I have found my problem... The L2 switch in front of FW on OPT1 interface was configured with default management VLAN which forward traffic coming from other Subnet toward the OPT1 interface of the FW. it which 192.168.1.x adress appear on this interface and listed on the GUI of the FW Thanks for your reply which help to ask me the good question. Many Thanks

@JonathanLee its its at all FFs its a broadcast address.. You have mask set at /27 says so right there in your ifconfig.. see the "broadcast 192.168.1.31" If you send a ping to broadcast, then yeah your going to get an answer ;) if there is anything on that network that will answer ping.. here when I send a ping to .255 broadcast on a /24 in this case 9.99 answered (one of my switches is on that 9.99 address) $ ping 192.168.9.255 Pinging 192.168.9.255 with 32 bytes of data: Reply from 192.168.9.99: bytes=32 time=7ms TTL=64 Reply from 192.168.9.99: bytes=32 time=1ms TTL=64 Reply from 192.168.9.99: bytes=32 time=1ms TTL=64 Why would you think a multicast would be all FFs? But look, your going to see multicast on pretty much any network.. Lot of devices/OSes love to squawk on multicast.. I wish I could find a way for plex to freaking shut up for example... ash-4.4# tcpdump host 239.255.255.250 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 16:56:51.900218 IP nas.local.lan.51573 > 239.255.255.250.ssdp: UDP, length 101 16:57:01.901295 IP nas.local.lan.51573 > 239.255.255.250.ssdp: UDP, length 101 16:57:11.901589 IP nas.local.lan.51573 > 239.255.255.250.ssdp: UDP, length 101 16:57:21.902645 IP nas.local.lan.51573 > 239.255.255.250.ssdp: UDP, length 101 16:57:31.904568 IP nas.local.lan.51573 > 239.255.255.250.ssdp: UDP, length 101 I took to blocking it at my switch.. I looked and looked to try and get plex to stop it, but it just wont shut up.. [image: 1687903209099-acl.jpg] If you don't like seeing the in your firewall logs, look to see what is sending it and try and turn it off there - you can really quiet windows down if you turn off some services, and make some reg changes. If it really bothers you get a switch that allows you to block it.. Or you could make some firewall rules to block it and not log it, or allow it if its say mdns and your wanting to discover over vlans with something like avahi... But yeah on pretty much any network your going to see a bunch of it.. edit: same with broadcast - see that port block on 8667, my wifi light bulbs send out tons of those!! So I block it at the switch port the AP are connected to, so it won't go to the rest of my network.. edit2: look here my other switch at 9.98 chimed in with broadcast ping Pinging 192.168.9.255 with 32 bytes of data: Reply from 192.168.9.99: bytes=32 time=1ms TTL=64 Reply from 192.168.9.99: bytes=32 time=1ms TTL=64 Reply from 192.168.9.99: bytes=32 time=1ms TTL=64 Reply from 192.168.9.98: bytes=32 time=1ms TTL=64 Reply from 192.168.9.99: bytes=32 time=1ms TTL=64 edit3: here on one of my other networks 2.200 is answering user@NewUC:~$ ping -b 192.168.2.255 WARNING: pinging broadcast address PING 192.168.2.255 (192.168.2.255) 56(84) bytes of data. 64 bytes from 192.168.2.200: icmp_seq=1 ttl=64 time=331 ms 64 bytes from 192.168.2.200: icmp_seq=2 ttl=64 time=240 ms 64 bytes from 192.168.2.200: icmp_seq=3 ttl=64 time=160 ms Which is my IPad ;) 192.168.2/24 is one of my wifi networks.

I figured it out ... when copying/editing the 3rd rule I had either mis-typed or missed completely the "Firewall_Svc_ports" value for the port block.

@GorillaP said in Simple Setup assistance: I thought the simplest way to segment off an IoT network would be to give it its own dedicated port and AP. So you have these nice AP that support vlans, and then a switch that does as well? Or is that some dumb omada switch? As mentioned bridging is rarely a good thing to do on your router.. Why would you not just plug in your controller into your switch?

@DominikHoffmann The typical of the mill DD-WRT device has this option : [image: 1687589471552-b6979722-7de1-463a-bce2-11232c8a43b3-image.png] which is just perfect for 'public' networks : all connected devices - to this AP - can only talk to the gateway. Be warned : things get trickier when you have more the one AP in the network. My AP's support ebtables - some sort of iptables like firewall, but for mac addresses.

@ronv42 You can also set up MAC-to-IP Address Pairings inside of Snorts LAN Preprocs. [image: 1687365869421-screenshot-2023-06-21-at-9.42.23-am.png]