@furom Multicast is typically always local to your network. Something is sending that out. Open Wireshark and hunt it down. they'll have a MAC you can reference. Multicast is also generally unroutable. https://en.wikipedia.org//wiki/Broadcast,_unknown-unicast_and_multicast_traffic

Resolved Found the problem - it was DNS. The software "server" they run for part of the test creates a localhost link to bcs.visualworks.com, requiring it to resolve to 127.0.0.1. However, if pfSense is involved, it tries to resolve it outside, can't, and so fails. I found if I input DNS servers in the workstation IPv4 configuration that point outside the router, it worked, but obviously not the best solution, so I put a Host Override in pfSense for that domain to point to 127.0.0.1 and it works on all the workstations now.

@cobain Posting in the wrong forum ? [image: 1669997553423-2bebe1e7-0443-4040-ba57-9ad7b69aa038-image.png] Also, how can we know what you did wrong ?

@steveits Thanks for the feedback! We'll sit down and do some planning on how to best take this forward.

@csit-0 Yeah, if a gateway is failing pfSense pass the traffic out to the next one by default. If this is not desired add a check mark at System > Advanced > Miscellaneous > Skip rules when gateway is down.

@tbr281 said in Block redirect: Just wish it would redirect it. Even "dirty websites" use TLS these days. Easy to recognize, their URL starts with https:// Without drastic measure on your LAN, that is, all your web visiting devices and pfSense, you can't redirect https://"dirty websites" to https://DuckDuckGo Your browser won't allow this. The test : is the host name "dirty websites" present in the certificate obtained ? will fail. Have a look : [image: 1669622454574-e2e336b4-a7bf-4b88-ab68-5e617416ed3b-image.png] That's doesn't look like "dirty websites" : your browser will refuse the connection. If it was possible, you would also be able to redirect https://some-bank-acess-you-use to https://some-bank-access-you-use, and because you control some-bank-access-you-use (and your site looks identical to some-bank-acess-you-use), now you get the access credentials. And five minutes later you can access https://some-bank-acess-you-use with the credentials you've obtained, and do what you want. The thing is, why would you ask if something if possible if you don't want it to be possible ? After all, https://"dirty websites", or https://facebook.com or https://some-bank-acess-you-use or https://some-bank-acess-you-use, for your PC, switch, pfsense, upstream routers of your ISP etc, its all the same : a connection to some server over port 443, TCP.

@cyberbot Here are my guest WiFi rules. They allow only access to the Internet and also pinging the guest interface. [image: 1669501042223-1fe2a30d-3b3d-4c5c-95e6-9ce07a73d1d4-image.png]

@rcoleman-netgate I could find it on the DHCP when it got an IP, in Unifi's view. Nothing in the firewall logs. But not able to ping it from computer when on same network. Then I realized had the VPN on the phone... probaly thats why it was failing! Gotten so used to it so had forgotten it's even on. Now it's working.

This is the information you may be looking for. It describes traffic flow between interfaces. Network Address Translation - Ordering of NAT and Firewall Processing https://docs.netgate.com/pfsense/en/latest/nat/process-order.html The order is LAN > FIREWALL > GATEWAY. When a packet arrives at a network device and it is destined for another device on the same physical layer in the same subnet, it goes directly to that device without needing to go through a firewall or router. When a packet enters a LAN interface on pfsense, it is first checked for matching firewall rules. These could either be rules on the LAN interface or floating rules. Then it starts to use the "gateway" functions. If this packet was going to the internet, pfsense would check if there are any manually specified outbout NAT rules. If there are none, it will use the default outbound rule for WAN. This changes the packet from your private addess to your real IP address and forwards the packet outside of your network. There are other steps that I didn't explain for cases using port forwarding or 1:1 NAT. It is more detailed on that page.

@somedudde Did you also change it in the floating rules? BTW: It makes absolutely no sense to have exactly the same rules on floating and LAN tab.

@bblacey it's something talking to AWS. AS details for 3.15.129.189 :- route: 3.14.0.0/15 origin: AS16509 descr: Amazon EC2 CMH prefix mnt-by: MAINT-AS16509 changed: noc@amazon.com 20190313 #18:50:39Z source: RADB Thursday, 24 November 2022 at 15:50:54 Greenwich Mean Time Do you see a Mac address on the router for the source IP, if you do what is it ?

@johnpoz Tailscale works like a charm

@viragomann Thanks man, had to resort to NAT

@steveits said in How can I find out why LAN device is accessible even though I have no WAN ports forwarded and UPnP is disabled?: @imthenachoman Not if the software connects out to the service to check. We have an agent on all our clients’ PCs and because it checks in every few seconds we have almost immediate access, without any ports forwarded to each PC. Ah. I see. Thank you! @gertjan said in How can I find out why LAN device is accessible even though I have no WAN ports forwarded and UPnP is disabled?: @imthenachoman said in How can I find out why LAN device is accessible even though I have no WAN ports forwarded and UPnP is disabled?: I don't follow. Once the app is running on my computer, Yes, you do. As you already used Teamviewer ones in your live, right ? It's the same concept : the teamviewer app has to be launched on the device on your LAN. When you give some one on the phone the ID and password, that person can 'from the other end' also using teamviewer can access your PC / desktop etc just fine. No NATtted ports or uPNPN needed. Because the PC on LAN opens a connection to a teamviewer server. These connections are data channels and are bi directional. Ones the connection is initiated from the PC LAN side, commands, traffic etc can go both sides. And even better : why do you see the Google page from the Google web server on your PC, your browser ? Because your browser opened up a channel (TCPO connection) to the Google web server, and asked it a question : "give me the / page". The web server answered by returning the page content. After it showed the page, the browser stops the connection. I get that now. I didn't realize this is how it might work. Thank you.

Thanks gertjan.... I guess I'm one of those morons because that is the exact reason I want to setup my own mail server. I know it's a boat load of maintenance but it's also a learning experience... As for the DHCP... You could create a DHCP MAC based lease on the pfSense side. This is exactly what I did. I can't remember where I read it but so far that has seemed to work. The only thing I could think of is a Duplicate IP but I don't see the pre-static IP address anywhere on the network or in the pfsense logs. So who knows... Somewhere lost in the ether-realm of cached items...

@rubber_duck13 have no idea how your setup - but reply to should be set and yeah should return via the connection that came in on.. https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#disable-reply-to

I also saw this today, and it was after troubleshooting why my ipsec connections were all down. When I restarted the ipsec service it flooded the system log with: [image: 1668869130123-1288da17-14a4-4fb4-be1f-b54b81ad4e0a-image.png] I have no idea what it means, but my ipsec connections are back up after restarting the firewall.

@the-blue-tiger said in access 1 pc on Wan From LAN: how do i set this up? can my VM be the dhcp for the host? No, you have to pull your public IP from the ISP. MY isp has the option to bridge my modem by adding MAC to it. No idea, what the MAC does here. Not sure, if this is a real bridge. Or is this rather a sort of "exposed host"? Yes, generally you have to bridge the ISP router if it's capable of this. How does the router get its IP? DHCP or PPPoE?

@bmeeks, yes I was wondering how that worked,.. and considered I may need to remove 'current block list',... but was nervous to try something that may break system. But I appreciate your pointers,.. and insight as to what is going on,.. again many tx for your replies. @diyhouse