@modesty said in How to open UDP port 1883 to IoT Cayenne my devices: My IoT device is connected to my LAN (WiFi) to 192.168.0.52 (static) and is sending packets to my Cayenne dashboard. So allow the packets to the dashboard IP instead of the pfSense interface IP. At destination select single host and enter the dashboard IP.

@viragomann HAProxy is not set to go external. The IP of my domain is my public IP and I'm using icloud to proxy that a record. What's odd, another ios device works just fine, it resolves internally. A reboot of the phone corrected the problem, odd behavior.

I have not been able to replicate this problem either. It seems to have gone away. Only difference is that Im now using another network card.. Wondering if the other card had some issues/driver issues..

@laplacian those are all out of state.. yeah if your logging default you will see those. I also disable default logging and only log syn and common udp ports.

@johnpoz Hi there. I disabled the site to site VPN and there was no change. It occurred to me that workstations connected to the PFSense don't have this issue and it's only our servers. This seems related to our virtual environment which is very strange. I think at this point, I will open a ticket with our VM environment vendor and ask them what they think about this. I appreciate the time you spent on this!

@shkiber said in Hello, there is a problem with vpn clients: I recently restricted access to certain platforms. Through pfBlockerNG, but I noticed another thing, some employees come with laptops on which third-party vpn clients are installed. Tell me if it's not difficult how you can limit the work of third-party vpn clients on local hosts through pfesense Unfortunately there is not :-( Modern day VPN connections are chameleons as they can use a number of different ways to connect - most disguising themselves to look like regular https traffic or using non standard destination ports. - they also leverage several different protocols like ESP, TCP and UDP. Unfortunately there is no pfBlockerNG feed available that lists all known commercial VPN or “escape” proxy providers out there, as that could help quite a lot (by banning access to those IPs). So unless you turn your Firewall policy around and block everything - except destinations and traffic you allow, this will be a battle you cannot win. NOTE: There is the option of configuring man-in-the-middle HTTPS proxying on your box and ban most/all ESP, UDP and non-standard TCP outbound connections, but this is at best a MAJOR up hill struggle and requires a lot of work/maintenance.

@steveits the description is pfB_PRI1_v4 AR (I set 'AR' in it's configuration). So I went and changed pfBlocker's IP4 rule for PRI1 back to Deny outbound and updated again. It left the rule that I had reconfigured to be block in place, but removed the description. My guess is that my changed version was treated as copy of their autocreated rule. I then deleted the WAN deny rule, hit save again in the IP4 section (still deny outbound) and ran update again. At the end of the updating section (before completed) it noted that there were firewall rules changes and reapplied the filter. Checking the WAN rules, there are no rules now referencing PRI1, only a reject to PRI1 in the LAN rules section. Taking your advice, I switched the rule to Alias Native so I could make my own rules based off of their feeds and found it created a new ports alias for pfBlockerNG DNSBL VIP ports of 80, 443. So while I had DNSBL on at one point and later turned it off, that may have been what opened up port 443 on the WAN ?? (guess on my part). This did remove the remaining auto created rule that was in the LAN rules section, which I'll re-add manually referencing their generated alias.

@viragomann So the setup was as such that the pfSense was the initiator in this case. Each remote site had a rule respectively to allow traffic to and from the head office local network and this seemingly worked as pings were allowed to traverse the VPN correctly.

To clarify, the situation with TC is as: HTTP links return outdated versions from 02.08.2022 RIR links point to database objects, which either return the classic martians or an empty set DNS queries return more sensible data. My suspicion is, it is up-to-date. TC do not allow AXFR for fullbogons zone, but the transfer of the classical bogons one fails either. BGP has not been tested yet. I ran through the above, before I came here with the intention to get an understanding, how/where from pfSense gets fullbogons list.

Okay, I figured out the VLT+ Peer routing is superior to VLT + VRRP. https://abhishektechdecoder.wordpress.com/2017/03/16/vrrp-vs-dell-vlt-peer-routing/ To Summarize, you dont need to waste a (3rd) virtual IP with peer routing, because either switch can respond to either IP that you assign them. And it also Load Balances the links as opposed to failover. So there is no real convergence.

@johnpoz Exactly what I have been experiencing! Thank you so much for the help/information/confidence; I've been struggling and thinking how horrible I am at this. There is a lot to learn and building this pfsense out has been fun and eye opening. The community here certain is one of the best!

@skilledinept said in Help marking (tagging/matching) traffic: What's the action for each rule though? The Action can just be Match since (I assume) you're not trying to also allow or block the traffic in these rules, just put it in a queue. Using Quick or not depends on whether you want other floating rules to process. Without Quick, last match wins.

@jarhead said in connect locally with FQDN: @mrjoli021 Look up Nat Reflection. It's in System/Advanced/Firewall & NAT no don't look up nat reflection setup split-dns whenever possible: https://docs.netgate.com/pfsense/en/latest/nat/reflection.html#split-dns

Thanks everyone, so here's my plan. Limit access to the FW ALLOW DNS access to the local DNS resolver for all the VLANs Limit access to the WAN, no port based, but DNS/IP based, I need to evaluate pfBlockerNG Surricata The latest challenge came up with the VPN... Restrict the traffic with the VPN it's not possible unless I set a HAProxy before, performance wise I should be fine, I have overkill hardware, but it's an additional service to maintain and to troubleshoot in case of issues, I'm not sure if I'm gonna do that, would you? In any case, this is the problem I've met there, and I didn't even restrict the traffic, any idea? openvpn-puts-down-internet-traffic Please ignore the second message and jump to the 3rd, unfortunately I couldn't edit it.

Também estou com o mesmo problema, tento acessar um app web com o Agent da Sky.one e quando faço o login recebo o erro NONE_ABORTED/200 tenho um tópico aberto, más não recebi nenhuma ajuda... Esse é o link do meu problema, lá tem mais detalhes... https://forum.netgate.com/topic/175478/squid-ssl-man-in-the-middle