My settings, filters, etc. load almost instantly (<1sec) at home. It's running on a rather old HP Intel I5 with 4GB memory.

@viragomann I figured it out I just had to restart my nas.

UP, is there any way for this to resume?

@johnpoz And thank you for pointing out that the outbound blocking rules don't do what I thought they did! :-)

@Uglybrian, Thank you, I will give that a try. Stuart

For other people's future reference. I had to switch to Ruckus Router Code and upgrade to their L3 Premium license to use the Policy-Based Routing feature. Once this feature was enabled, the policy-based routing was very simple. Similar to Cisco policy-based routing. However, it seems, as far as I can tell, due to the state-based nature of the Netgate, the policy-based routes I was trying to set up just did not work. Unfortunately, no one on this forum was able to provide a workaround using the pfsense platform.

@tross9 yes. There should be a tooltip if you hover over the X.

Thank you all for helping me. In the end I've managed to make it work. As you said, following rule(s) were necessary to access devices on OPT1 and OPT2 respectively. [image: 1760577607694-4278df83-2799-41fa-a032-8ae0b9205d44-image.png] There are some things that I learned along the way: When spoofing MAC address, don't spoof it on the interface you are accessing the web GUI from. Don't spoof WAN MAC address when connected to internet. Do it with WAN port disconnected. Also, clear DHCP leases on your upstream modem/router. When you already have an enabled interface, but then want to spoof MAC address, delete the interface first and then recreate it with spoofed MAC address. Reenabling doesn't work properly. Sometimes the device you're trying to access doesn't allow access from different subnet. This is the case with my OpenWRT router, but home server works flawlessly.

Yes I reproduced here and asked our devs about it who confirmed the likely cause. Work is in progress.

It worked! I needed to add the NxFilter IP in Captive Portal > Allowed IP Addresses... however, for blocked sites, for example in the Porn category, the NxFilter blocking page is not displayed, it just keeps rotating the browser without accessing the site. I will continue looking for a solution for this. [image: 1760523860187-1dbf1da9-2786-446f-8ac2-30b77b06b1a3-image.png]

Just to prove to myself that I'm not a complete idiot, I have set up a VPS and installed eturnal there. It functions perfectly fine there. (It is not behind a pfsense but I have enabled ufw. To be fair, the setup in my home lab is much more complex than that of the VPS. But bottom line: I can set up eturnal to work. So it would seem to be my inability to configure pfsense.)

I just wanted to follow-up, and not leave you guys hanging. I realized that only Web Traffic needed to be behind the Reverse proxy (for the WebIF), whereas SIP and RTP did not. I am already using split DNS, but I setup one DNS entry for PBX.fqdn that points to my reverse proxy, and SIP.fqdn to point to my actual server. That way, my phones can be directed to the sip server, and my web browser to my proxy. Done. However, since I disabled all IPv6 traffic on my network, I was having issues connecting from outside, as was mentioned. Now, I have the PBX system moved to a $5/month cloud server. Time will tell if it has enough resources to accommodate my usage. It has a setup similar to the aforementioned.

@viragomann Thank you, I appreciate it. The aim is to allow access to my VMs from the WAN side (home network) and effectively use the pfSense device as a router with the NAT functionality enabled for the LAN side VMs to access the internet.

@turku31 so what was it? Nice to leave what you found as the problem, to possibly help the next guy out.

@martinez Thank you for your help and input! I'm aware of several ways that I could handle this, most of which involve opening a port and running a program on either the local or remote side. When faced with the issue I thought, wouldn't it be nice, if something that already exists and is well tested could be "used" in such a way that it solves the problem, without introducing more risk, which is why I asked the question here. If there is no such option using the firewall directly, then a Wireguard tunnel between pfSense and the remote system might be the best option?! Allow incoming ICMP on the Wireguard interface only, block everything else. The connection would be via dyndns entries and will only be active and the ping possible, if the DNS entry is up-to-date, so a simple ping to the pfSense's wireguard interface IP address would indicate dyndns up-to-date. Or are there better options?

@kojol Why would your traffic be asymmetrical.. That is your problem - fix the asymmetrical flow.. So I take it your client is 10.3 and he is sending his syn to this 10.2 box on port 8009 - but that did not flow through pfsense, if it did pfsense would create a state and allow the return traffic (syn,ack). You have a masking problem, you have common L2? When you create segmentation in your network, traffic should flow through pfsense in both directions. If pfsense sees some syn,ack and it never saw the syn to open the state then yeah your traffic would be blocked. If your segments are properly isolated there should be no way possible for 10.3 to talk to your other segment at 10.2 without flowing through pfsense. And same goes for the return traffic. Do have a common L2 network, and a mismatch mask.. Where your client on 10.3 thinks 10.2 is on its network and just sends the traffic there directly. But your device on 10.2 thinks 10.3 is a different network so sends its reply (sa) to pfsense..

I can verify that a (public) wildcard cert does not work, the specific hostname must be present in the certificate. I think this is not really well documented, because i struggled with debugging this a few yahren ago myself.

Just been doing further testing with the SMP disabled via boot loader conf as per the 2020 threads does help. I now just get a split second interruptions to teams calls rather than minute long and network dropouts. And also just a couple of spikes in latency. CPU does spike to 55% but it is now running on one core only due to disabling SMP. So it does looks very similar to the bug reported in 2020 anyone else seeing this behavier?

One more item is that I have an interface group called all_interfaces, and have assigned all my interfaces into that group. All my rules are under that interfaces group. Is that why netflow is only showing sync?