@rasputinthegreatest see my edit about devices sending it out even when they have an IP on the network - my directv appliance does that.. But once you have a mac should allow you to track it down. Especially if you have a smart switch and its wired. Where you can look at the mac address table. If everything is working and you just don't like the noise in the logs, you can turn those off, either in log settings - I believe new 2.8 allows for not logging link local. Or you could setup a rule not to log it.

@John_McNoob Got it working now :)

@Gertjan I don't have the energy to verify why it's rejecting the gateway. Perhaps something has updated in the NAS (OMV) in the meantime. The important thing is that it works, thx :)

@AndyRH : Many thanx to you. I've implemented your rules and they seem to work exactly as intended. Most surprisingly for me, they do this without dedicated firewall rules. Thumbs up! Best regards JD.

Well like I said I've tried to do that so.... I'm not sure. Does it work? I'd expect to see a load of errors when it creates the test config of there's a problem.

@SteveITS Thank you for the info ! I think I have a better grasp now on what my issue was. Since I disabled IGMP Snooping in the Unifi controller for my IOT net and associated VLANs I have not had any more notices in the firewall log (I still have the pass rules with log on, but nothing is showing in the firewall log, so I assume there is no more IGMP traffic. Cheers

@JonathanLee said in To Default Reject Or Block That is the Question.: I wanted to share this with you incase you ever asked the question what the difference its between block or reject... A block just drops the packet, without any other response. A reject sends an ICMP message back advising why. You want to use block on the WAN, so that the attacker has no confirmation there's something there. Use reject on the LAN, so that an issue can be identified.

[image: 1751938536922-screenshot-2025-07-07-at-18.35.31-resized.png] You know what it was I had it set to reject and not block HAHA I can't believe I didn't see that before, that is a Homer Simpson moment. [image: 1751938700948-screenshot-2025-07-07-at-18.38.12-resized.png]

This issue has since resolved itself though the root cause is unknown and there have been numerous changes made to the firewall between when it was last observed to not work vs. now when it is working.

@rasputinthegreatest normally hosting stuff on big cdn networks is not cheap - and would assume they do some vetting of what is being hosted/served. Not saying stuff can not be compromised - but seems unlikely some malware people would choose to host their crap there to be honest. While that cdn is not a global player to the likes of aws/azure or clouldflare, etc. They are not a ma and pop vps hoster ;) Glad you got it figured out - and this thread might be very helpful for the next guy.

@Gertjan I figured it out. It was my old IPSEC tunnel. It was capturing the traffic, so the rules never really impacted the traffic. Once I removed the IPSEC tunnel, the rules started working, as mentioned.

@viragomann Yes, actually, I made Allow any to any rules for all interface including bridge interfaces for testing. I wanted to see traffics going right direction and compare what I expected. However, after I provides IP address to bridge, I'm getting less information from firewall. From the firewall state, (PC-B to PC-A) [Any 10.10.40.4 -> 10.10.30.3 SYN_SENT:ESTABLISH] BRG2 10.10.40.4 -> 10.10.30.3 SYN_SENT:ESTABLISH BRG1 10.10.40.4 -> 10.10.30.3 SYN_SENT:ESTABLISH However, I found two solutions. Creating rules in floating tab with enabling quick Make BRG1, BRG2 as a one interface group and creating rule. I have no idea why those can be the solutions but seems like there's something related rule priority. Thank you for taking care of my issue.

@johnpoz Many thanks for the help, advise and comments noted. Thanks again. CC

@chris-doldolia Hello! You can safely make configuration changes on a running pfSense firewall, it's designed for that. Most settings apply immediately without needing a reboot, though some services (like IPsec, OpenVPN, or interface changes) may briefly interrupt traffic when restarted. Just make sure you have console or alternate access in case something goes wrong.

@johnpoz I am glad you also noticed it, I see it a lot on my proxy I decided to block it and see what breaks but nothing changed so far. I also have the DNS manually set on the iMac, so it should not attempt to use DoH

@Gertjan @JonathanLee , I appreciate your comments and your time for this. I found that our ISP modem keeps sending login page when it thinks connection state is not made properly. (From development tool, I was able to see '302 Found - too many redirects') The issue of this was NAT, because when my IP NATing to interface IP, source port kept changing as well. I have created NAT rule with static port enabling, and it resolved my issue. Thank you very much.

@CatSpecial202 The traffic is not being blocked because it is considered part of the RFC1918 space. Your rule is not a block rule, but rather a PASS rule (!RFC1918). The traffic is blocked by your rule though - but thats because the IGMP multicast packets that was intended to be passed by the rule has IP options enabled that the default IP options filtering in the rule denies. Hence it blocks the traffic. Seach for IGMP filtering blocks traffic on this forum to understand the problem and configure your rule accordingly. Fx: this thread https://forum.netgate.com/topic/187896/how-to-stop-logging-blocked-lan-igmp