Having now implemented and tested this, I believe that it still acts as a match/pass but will not create additional states when it's at the limit set by this option.

@mucip said in Adding in to Alias and reload firewall from command line?: Hi @bmeeks , Ok. I will try to live with this fact. Thanks... :) Regards, Mucip:) You can see the IP addresses you add at runtime by going to DIAGNOSTICS > TABLES in the pfSense menu and then choosing the table name correspondig to your alias. Literally that PHP code runs the same pfctl utility to dump out all the pf tables and their content for display. But the GUI stuff under FIREWALL > ALIASES won't see things you do directly in the pf tables using pfctl yourself.

@jarhead Thank you, that may be the only thing I may have right. elmo

@jlee_eye Issue resolved.

@viragomann Got it, I thought the package would be re-evaluated by the WAN again Thanks for the clarification.

@efny Either way works. Listening on WAN is a bit less complicated. Either type of rule can have a source alias.

@thewaterbug More progress on this. I moved the Blue Iris (NVR) server to the .50 network: [image: 1677876029778-4cb00e44-1521-49d0-a0d6-cf3cb9dda2f2-image.png] and experimented with the fw rules to figure out how to allow access to the cameras that are still inside .0, and eventually learned I had RTSP "backwards" because it's pulled from the camera and not pushed by the camera. And then I learned about ports aliases and condensed it all, thus: [image: 1677876135214-944ad159-9ce6-4511-8c0f-fb74c253582a-image.png] A bunch of this will be moot once I migrate all the cameras to LAN50, but it was a good exercise figuring out how to grant access without the default LAN any rule on the LAN50 side.

@bmeeks ive done something similar. Make sure you acquire a baseline first so you can set your threshold accordingly.

@4rr3n well, additional to having my home network running with vlans for some years now without ever having trouble as @johnpoz mentioned. I listened with a packet sniffer between vlans (on each virtual interface)...nothing but traffic that is allowed. Nothing special, nothing serious...but hey, it is a home network, privatly used... I tried to set pfense to separate between vlans, works fine for my needs. As important: configure your switches! No productive traffic on vlan1, change native vlan to something else but vlan1, use management vlans for access from outside (or better: do not have access from outside, I do not need that...as mentioned: private usage). jm2c: the technical risks are manageable, more common (and dangerous) are risks on level 8 in front of the screen...meaning: it should take longer to draw up a good, usable and safe network structure than it should take to configure the machine(s). :)

@michael-2 For the printer, beware that many times there is a broadcast to find a printer, such as a phone. For this to work it needs to be on the same VLAN as the device using it.

@beckeribero In the OPT1 interface settings you might have to change the mask to /24 so that pfSense can communicate with the failover gateway. Outbound traffic is directed out according to the routing table or even the default gateway setting in System > Routing > Gateways. You can create one or multiple gateway group for automatic failover and state this as default gateway or in policy routing rules. If you want to direct out the upstream traffic of certain local devices to a certain non-default gateway, you have to do this with policy routing rules: In the rule, which allow the upstream traffic, open the advanced settings and select the desired gateway. But ensure that the rule does not match to internal destinations. You can add an additional rule for internal access like DNS without the gateway option and put it above of the policy routing rule.

@jimp Bravo - You sir, are a STAR! thanks so much. I did end up exporting the alias backup.. then copy/pasting the entries. But I'm thankful you've fixed it now. Makes life easier going forward. :-)

@cybernaut-0 Allowing to WAN Net does not allow to anything that is not in WAN Net. Which is basically the entire internet.

Dear @johnpoz, many thanks again for your patience and support. I went for a clean install and configuration of my pfsense and the problem is solved. Thanks again and have a great rest of the day.

I ended up deleting the interface and building it from scratch. It was mainly the effort of redoing the static DHCP leases. I had set up a dummy interface first and copied the rules over to that one, and then back to the redone interface. That fixed everything. It must have been some kind of corruption I could not shake in any other way.

@johnpoz lol! Yes, if I can help it I will keep things private and locked down appropriately. I will plan that carefully if that were to happen, right now it's just a thought but have no need :)

don't beat my drawing skills because I've worked very hard on it (ha ha just kidding!) but here is a small drawing on how I have (or want to) set my network. [image: 1677265937878-network-plan-overview-small.png] With only one small difference: At the moment I haven't connected my Cisco router between my PC and pfSense firewall, so there is a plain, straight UTP cable without any switch or router in between.