@johnpoz said in Firewall blocks ports after a certain time: @mrremo and what fixes it - does it just start working again. So far only a reboot has helped. @johnpoz said in Firewall blocks ports after a certain time: Is it possible your destination box that 192.168.0.2 is changing Ips, or service(s) are stopping? The IP is also a static one. So no, it has not changed. The service is running. It is accessible on the LAN. I am sure that the problem is not with the server (192.168.0.2), because the VPN port is also blocked. The VPN server is running on the pfSense box. @johnpoz said in Firewall blocks ports after a certain time: Validate traffic is actually getting to your wan The next time the problem occurs, I will double-check.

@viragomann thank you very much, I managed to solve the problem by creating a floating output rule and using all TCP flags and sloppy state.

@johnpoz Thanks! After displaying the rule description i noticed that for my OpenVPN Client all incoming Traffic in checked against the Rules in the "OpenVPN" Tab and not against the rules in the "SERVER_VPN_NEU" Tab. In OpenVPN was only one block Rule only which i identified after displaying the rule description in the log. I do not know why there is Interface SERVER_VPN_NEU in the log but rules are checked against OpenVPN. I added the pass rule in OpenVPN and now it is working! Thanks all!

@asgr71 You can create a URL Alias. Not sure about sending credentials in the URL but it doesn't hurt to try.

@dridhas If you want to lock down a network/vlan normally you would allow only what you want.. Here is an example of a locked down network. [image: 1679337558799-lockdown.jpg] So can ping the firewall, great for checking connectivity.. So things might ping their gateway in a test of connectivity, etc. Allow dns and ntp Then block all access to any firewall IP on anything else.. Block access to any other rfc1918 networks via an alias - this blocks access to other networks/vlans you might have. Then last rule allows anything else - ie internet.

@johnpoz I agree with you, that's what I thought as well. I first only had the bottom 2 rules for the longest time i.e. the any to any rules. I couldn't get stuff to work on the NAS and by stuff, I specifically mean the following two things did not work... Package manager couldn't load list of available packages Could not sync with Google's NTP time servers The following things worked Pinging domains from DS923 interface, which means DNS was working Accessing NAS GUI from the LAN interface Then I tried the rules as I had them in the question for this topic, that didn't work either BUT it all started working with the rules mentioned in the reply. But yes overall, the bottom 2 should have done the trick I feel like. I'll try disabling the 23,53,443 and 80 ones to try again.

@mr-crain No reason to reboot anything.. Just troubleshoot the problem.. First things - is traffic even hitting your port.. You also have nat reflection setup? How are you testing this? Start with the basics - does the port forward work externally? Got to can you see me . org and send traffic to either 7780 or 27020, those are tcp forward. Sniff on your wan of pfsense - do you see it hit pfsense wan? Pfsense can not forward something it never sees. Ok if it hits your wan, sniff on your lan side interface while sending another test - do you see it send it.. If so then something else downstream, your sending to wrong IP or port, the device is not actually even listening on those ports? Host firewall on where your sending it. If you go through the details in the link, you should be able to figure out your problem in less than 2 minutes.. If that all works - then you can move on to if you have problems with nat reflection. edit: example. I created a gateway and route to a downstream network 10.20.30/24 [image: 1679229576337-route.jpg] Now created a port forward to an IP on that network. [image: 1679229693950-portforward.jpg] Notice as well that my firewall rules shows that traffic has hit this rule the 0/420 B after I sent some traffic. So sniffing on my wan and lan you see pfsense sent it on. And if I look at where that traffic was actually sent in my sniff, while sent to the 10.20.30.42 address, the mac is to my downstream router I setup. [image: 1679229937747-traffic.jpg] If this simple test works, and still not working - at least you know its not pfsense, pfsense did exactly what I told it too do.. See traffic on your wan address to port 27020, send it to 10.20.30.42..

@chrisfromdallas The rule has to be added to the interface, where the traffic is coming in. So this might be IPSec in the office. I was talking about your site before. But if you have access to the remote site, est practice is to only allow certain destinations. You can do this by addition the pass rule on IPSec, state the alias (for IPs to block) and check "invert match". So the pass then allows any, but the IPs in the alias.

@gtissington does your switch have a gateway, ie default route set? If not then no you wouldn't be able to ping from a different network.. example. here is my switch sg300-28#sho ip route Maximum Parallel Paths: 1 (1 after reset) IP Forwarding: enabled Codes: > - best, C - connected, S - static S 0.0.0.0/0 [1/1] via 192.168.9.253, 9808:06:37, vlan 9 C 192.168.9.0/24 is directly connected, vlan 9 sg300-28#

@johnpoz ah ok as for my home assistant ips they are 192.168.0.12 192.168.10.12 192.168.20.12 those are the vlants to the main home assistant then 192.168.0.10 is another and then on my sisters network i do the openvpn site to site its 192.168.1.12 and what i didnt understand is if the first rule says use default gate way which is wan then the 2nd rule saying use the the vpn the wan superceeds using vpn thats what i ment.. im having troubles i going to play around and ok good i can delete the grayed out ones.. wasnt sure.. i going to try some things later.. i learning by trying... (: i appreciate the help so far.. least i can access the networks from LAN... i just never figured why i get more dns results on LAN then the IOT but going to play a bit and see how i do (: im sure ill have questions tomorow.. so i really appreciated the help so far

@michmoor due to security and GDPR reasons ClouldFlare is NOT an option for me. I use my own server at a hoster in Germany and not services like CloudFlare or similar. So only the first option would be interesting, although I have no idea how this could be set up without any example or tutorials.

@steveits i actually had to change the ttl from the default of like 15 minuytes to 5 minutes...that fixed it..:)

@provablueteam123 just add an any<->any rule on top of the ruleset

@1-21gigawatts Does the hotspot network overlap with the OpenVPN server network you created?

@carrzkiss still at 1 ms TTL.. And your SOA expire is set below the recommended level at only 604800, rfc1912 recommends 2 weeks as the min value. Your TTL in your SOA is set to 1 hour, 3600 but you prob have 1 second set on your actual records.

@4rr3n said in WAN Modem and VLAN Firewall Rules: @gblenn @johnpoz @SteveITS @mvikman Thanks for helping me out with this one, your knowledge and provided information helped a ton. This whole setup was a nightmare to configure. After taking a short break, I started over and finally managed to set it up. However, I still have two remaining questions. From my testing, it looks like the virtual interface that is used for PPPoE to pass over the traffic from VDSL line also have access to the Web GUI of the modem that is accessed via its own physical LAN interface. I was able to confirm this by pinging LAN interface of the Modem from the WAN interface in pfSense. Is this normal behaviour for this type of setup or should I worry as things are not correctly configured ? On the surface, now everything works how I want it to but not sure about this one as I don't want to expose anything on the WAN side. The last question I have is, my modem provides ports to use like SSH, I tried to find more information about this but was unable to find anything online. The Modem settings only give me ability to allow or deny access to the said port on the LAN side but not WAN, does anyone know if Modems by default expose any such ports on the WAN side when used in bridged mode ? I appreciate all the help I'm getting here, I know it's a lot of questions I'm asking but I'm new to pfSense and haven't dealt with such a setup before. Not entirely sure what you mean "virtual interface has access to web GUI"? The LAN side of the modem is protected and separated from it's WAN side by the firewall built into the modem/router. The fact that you can ping, and access it, from pfsense is like I wrote above. You should in fact be able to ping the LAN side of the modem from any device behind pfsense, unless you explicitly block that. If you try to ping from the WAN side (your actual public IP) your modem will probably not even reply. SSH is a safeguard to be able to access the modem in case the GUI isn't working, or for more advanced control of the device. You can safely turn that off! And IF for some reason it is available on the WAN side, you should absolutely turn it off... Bridged mode (or DMZ) means that all ports are "passed on" to pfsense, and it's pfsense responsibility to be the firewall, which it does in an excellent way of course. But there is no simple means of accessing ports on the modem, "reaching in from the outside and somehow in between" the modem and pfsense... The only reason I can think of a modem exposing a port would be if the ISP has it set up for remote support. But I doubt they would use a known port like SSH... Probably some random port very high up then...