I think what darkopo meant is the
What is default in Firewall: Rules: Edit Advanced Options ?
Probably just noone is interrested in using google for you to find the man pages of pf ;)
http://google.com
keywords: "man pf"
@sai:
the only strange thing in your setup is the 192.168.1.1 as dns in general settings. even that should not let in the icmp…
this is really weird.
you said that there were some NAT rule. can we see those?
I added 192.168.1.1 as an extra DNS server, since I want to use the repeater even on the firewall.
Nat Port Forward Rules:
[image: nat-forward-rules-20-05-2008.png]
The 1:1 and Outbound rules are empty (Automatic outbound nat is enabled)
EDIT:
Heres an interesting bit of log info:
[image: fwlog-wan-wtf-20-05-2008.png]And clicking on the green arrow at the left shows no rule triggered it. The text after the "The rule that triggered this action is:" is missing. Theres several logs like that. The wan rule for that ip forward is not set to log, and there is no lan rule corresponding for anything resembling that packet.
For now I just entered fake IP addresses for these addresses in the DNS forwarder configuration, but this of course means that clients can still connect using IP address.
I find by myself !
I have make an Alias of my WAN network (WANnet) and put this rule on the DMZ :
Proto Source Port Destination Port Gateway
* WANnet * ! LAN net * *
For me the Release 1.2 Version runs with the schedules as it should
For the first, do you have a 1.2 Version? Place a schedule time on a firewall rule and then make a download of your config.xml and check if you have all needed cron items
Further Information: http://forum.pfsense.org/index.php/topic,5838.msg42769.html#msg42769
Regards
Heiko
Thank you, thank you, thank you GruensFroeschli!
I figured out what it was…I had the block rules BELOW the allow rules. I moved the blocked rules above the pass rules and it now blocks access from these IPs.
Geez! I'm still learning here...
@GruensFroeschli:
"WAN address" is exactly what it says.
The IP of your WAN.
Set that to any and it should work.
(unless you only want to allow access to your WAN iIP ;D)
Thank you so much. Seems to work now. That makes complete sense now. I figured I needed to specify WAN address, but what I really wanted was ! LAN subnet.
I am such an idiot sometimes. Really appreciate the help. BTW, pfsense is fantastic. Nice job. When I convince my boss to start using it at work, I'll see if we can send a donation.
If you also configured port forwarding, yes (hint, if you haven't delete the rules and then just configure the port forwarding, that will also create the correct, matching, firewall rules).
Also have Netflix and Amazon Unbox. Did not have to do a single rule to allow them to download. Sounds like a DRM problem on your end. I have a few machines Netflix does not work on. But this is a machine problem not network.
Well I found what it is.
The 2nd WAN modem has its own public IP as its the gateway for pfsense, but it seems it also has that IP… Found if I give my PC an IP on that subnet and plug into the modem I can ping it. Cant get any other prot. to talk though... It seems the modem arps from that local subnet as well as its public...
This normally would not be allowed as the WAN has that options to block local networks on the wan port but this is a 2nd WAN and does not have that option..
Wow..thanks guys. I see what you mean about multiple IP's. Try not to laugh to hard, but imagine before this post a newb like me pecking away at work putting 15 Ip's for one site I did :-[
I will try the SquidGaurd and the OpenDNS. Oh man…talk about feeling spanked, but I refuse to quit...Heh. You guys rock.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
