I have found this baby, it's a telegram! Thanks' to all for assistanse.

An issue report is available here: https://redmine.pfsense.org/issues/14267

Get a switch that can do VACLs or PVLANs. Pfsense isnt the gear where this is done at.

@tzvia thanks for writing. Internet → Cable Modem → Firewall (pfsense) The firewall is connected to the cable modem. There are no other routers. pfsense does get its WAN IP via DHCP … PS: To be honest, I haven't had the time yet to plug into the cable modem to check its configs. First thought was whether this inbound observation was something sophisticated and beyond my experience.

@johnpoz John, the ^multicast rule problem^ seems to be the state table. And that does not seems OK to me. I never / noticed a situation before that a rule did not work. Now nothing!! else even restarting the interface or dis and enable the rule etc was enough to make the rule work!! Seems a bug to me! A few not related remarks: the rule related to the router functions, is required despite the invisible default rules, because some applications do not use the gateway as DNS etc. (which I do not like, for which reason I sometimes redirect force those functions to the GW) related to IPV6, yep if you use e.g. netplan you van force the server to use a specific IPV6-IP (and you can filter that one). However: fixing IP via DHCP6 + RA is a drama (It does hardly work see my tests https://forum.netgate.com/topic/178423/some-doubts-about-router-advertisements/6) host generates IPV6 it-self e.g. for security purposes etc And I should try again, but in the past (not too long ago), the pfSense filtering on 'vlan-net' was a drama / did not work. As said I should perhaps retest .. What ever returning to the issue ^How to filter / pass multicast !??^, to put it mild I would not be surprised if there is a bug !

@aeubank said in How to tie 2 internal LAN connectors together on different subnets: This configuration still does not allow me to ping one device on a different subnet.. You sure its not just the other device not answering - tell for sure windows out of the box firewall would not answer a ping from some IP that is not on its local network. you rule there on lan1 for sure would allow ping to anything.. Doesn't matter what your rules on lan2 are.. So if your pinging something and it doesn't answer - that other thing either isn't using pfsense as its gateway, or it has a firewall rule.. Or maybe its mask is wrong and it things 192.168.15 is on its network 192.168.16, for example a /16 mask on the client vs /24 would do that.. But your rule would allow - so look to device your trying to ping... If you want to prove it to yourself, sniff on pfsense lan2 interface (packet capture under diagnostic menu) when you are pinging from your lan1 device -- do you see the pings going to the device.. then pfsense did its thing - the device not answering nothing pfsense can do about that.

For future reference, if you have a question like this, the first thing to check is the help/documentation for the page. Hit this link on the page and it'll take you to the most relevant docs page: [image: 1680612947970-33e0dd41-9fda-4d66-9b39-b71e4a86f29f-image.png] The page it links to explains the meaning of that column: [image: 1680613001389-2ea8f90f-f60d-4550-93be-5cb3d7cf257f-image.png]

Turned out I had a forgotten legacy (no longer relevant) DHCP-assigned static route. No more trouble after this was removed from DHCP and DHCP release renewed...

@johnpoz [image: 1680270416460-tcpdenied.png] TCP_DENIED/403 is caused by pfsense or squid?

@steveits Thank you! Those rules work! Now will try to understand why... :) So much to learn, so little time!

@gislenitsupport Yeah sorry that's pretty sneaky for them to use the same model number. The eMMC utility says it is available only on Plus. I guess you could upgrade? Does the console show anything when it stops responding?

I think I found the culprit: ntopng I removed the package and now everything back to normal responsiveness.

@johnpoz said in Apple TV upgrade: @furom do those IPs have any meaning? What is 1.79 and 10.165? Did the box at 50.5 use to be in those networks? No, none of those IPs make any sense. But by the sound of it, the AirPlay tip above should do the trick. Fingers crossed!

@wolf07 Sure. Although note blocking to IP_PublicDNS:443 doesn't block to any other DoH servers that aren't in that alias.

@moussa854 I came to the same problem and after a lot of trial and error I found out that in order to UDP hole punch to work with pfsense you need to set Static Port on NAT outbound. From the menu Firewall > NAT > Outbound select Mode = Manual and edit the auto created rule LAN to WAN and set static port. Now everything should work ;)