@bob-dig said in Moving printer to LAN, it's unable to send email.: Doesn't make much sense because it has worked before, right? Right, but I started checking pfSense because I started from the usual user statement: "Since there is the new network, it doesn't work". But in that period they also changed ISP. Credentials and settings remained the same, but (maybe) their previous ISP probably accepted an older SSL version.

@jonathanlee I was able to stop the ipv6 states after disable again and a any any block. I was confused why so many udp ipv6 states were running looped to the ipv6 loopback. After this it defaulted to ipv4 for dns and it's running fine. No ::1 states are running. A plus side I have more memory available, enough to enable Talos on snort.

I think I've got the hang of it. I have been looking at this the wrong way all along. Python will never work when it comes to hacking pfSense because it's not its native language in the first place! However, unfortunately, the answer lies in PHP, the language I hated to learn and was hoping would never have to use again. As it happens, PHP scripts can be run by passing it as an argument to /usr/local/bin/php, like any other interpreted language, like Python or Bash. I have written a PHP script that utilises the underlying PHP backbone of pfSense and managed to get it to download a list of hosts from a text file shared on Google Drive and then reload the firewall rules: [image: 1671296793438-24c0e2be-b77a-4527-944c-f5701876b98a-image.png] I know pfSense is open software but I won't get into the details of how I managed to do that out of respect for the original coders that toiled and battled with PHP to get it all working. But of course, in true open source geek fashion, I will happily share it with interested parties. By the way, is there a plan to rewrite everything in Python?

@jonathanlee I know it's the ipv6 loopback but how is it running if I have ipv6 disabled on the firewall advanced options. I have an ipv4 addresses from the isp they do not hand out ipv6

Really appreciate the help everyone. We are up and running. :) so yes the rule had not been created and also as suggested it's from top to bottom. This has resolved my little. Viva the community!!! Thanks all. :)

Never mind. I reverted the config about 40 times (I set the capacity for 300) and it went away. I still have to redo a lot of rules but at least it won't be from scratch, nor would I need to config tunnels, and NAT, and static routes, DNS servers, virtual IPs, and train Suricata nor pfBlockerNG, etc. That's like a full non-stop day of work, and that's leaving out static DHCP and knowing exactly what needs to be done and how. Could be much worse. I got lucky. Thanks anyway. :)

@smk Ah, that makes sense, thanks.

But anyway you don't need NAT reflection on pfSense for this now. It's useless, since nothing points to its WAN IP. And the port forwarding rule with the WAN IP is useless as well. @viragomann no I need both, I tested it. As soon as I remove the reflection from the port forward, the service is not accessible from within LAN. If I deactivate the WAN port forward Rule, I can't access it from the internet. Maybe because of the first main forward "everything" to pfsense rule in proxmox's network interfaces file. So I will leave as it is for now. I'm just happy that it finally works. Yes, got a scheduled job doing VM backups every day.

@viragomann Finally! Thank you for you wonderful help. It's been very useful. Now to more testing

@jimp I have disabled snort pfblocker still have the same issue, some website showing issues

There's outbound NAT changes The VPN type Making sure you have the interface configured correctly. You should start from the beginning: PBR. Why? VPN? Multi-WAN? What's the rule config look like? NAT settings? I've doublecheck everything and return to you. Thanks a lot!

@rcoleman-netgate said in Message to Admins: @capitanblack You need a certain level of "reputation" to post attachments to your posts. You should have that now. Try again. Ok, thanks!

@jknott said in Question about static ARP or static NDP: why bother when it could be done in the GUI? there is another thread where he asked out to do it for ipv6 - which you can not do in the gui. But yes you can set it via ndp just like you can with arp. I think he is out there with his security concerns - but the question was valid originally - how to set a static "arp" for IPv6 on pfsense - look at his previous posts, etc. Which pretty much exactly how you do it for ipv4, just with the ndp command vs the arp command.

@mofugga Never mind. I figured it out. I had to configure the LAN interface to have the appropriate rules. Thanks everyone for your help.

@leonidas-o said in NFS Server WAN - mount within opnsense(pfsense) LAN: Okay, quickly googled it, it seems there is NAT for ipv6, so forget what I said There is NAT for IPv6, but no network admin in his right mind should want to use it. Hopefully it remains a solution in search of a problem. There are enough IPv6 addresses to last until the end of the universe.

@toddehb Just want to update all on the solution. My hoster had some ebtable rules active which were actively blocking the traffic. They disbaled them and now everything is going smooth :

@notjohn Im not sure you understand whats happening here. The port is not open on your server. If the port is not open then why expect any outside connections to it to work? Port 3389 is open on your server. The port is allowed on the firewall. Hence RDP is working. Port 25565 is not open on your server. The port is allowed on the firewall. How can traffic be redirected to a port thats not open? You need to fix that. Not a pfsense issue

@pirod said in Slack not working: But I don't even find that rule When you install pfSense, there is no 'block' rule. There is only the rule I've shown above. Without exception, all traffic is passed from LAN to WAN. If many, random sites, don't seem to work : Check if you have a good connection to the 13 main DNS root servers : when you restart unbound, these will be shown in Status> DNS Resolver. That page will then start to fill up rapidly with everything unbound resolve for you. Check what is called MTU. It's been know that some ISP routers do strange thing with the packet size : MTU gets to small and random sites won't load anymore. But also : you use a VPN .... that opens up an entire different rabbit hole, as many big sites 'don't like' their services being accessed by VPN. And as always : use and abuse the golden rule : pfSense hasn't been tailor made for me and you. We use all the same code - every bit/byte is identical. Only our local settings differ (and our upstream Internet connection). So, your - default settings ! - pfSense would work fine for me. Because mine works fine for me.