@snellie1972 said in Pfsense outside port 8080: apontv.net I can get there on 80 or 8080, but just get back "ON"

@coldfix if you’re looking for control plane protection (or policing) a different brand of FW would be needed as PFsense does not have any mitigation for that.

@gabxmx What did you do to fix it? DNSBL likes to create addresses automatically.

Okay, I got my doorbell to work. I pulled it off the wall and did a hard reboot. It was able to get the right IP and is back online. However, I have a WiFi lock that was spotty, but now is not working at all. Also, my game consoles are not working either. WiFi lock: I see it getting an IP sometimes (could be due to power savings that it doesn't stay connected all the time?), but I cannot access any functionality via the manufacturer's app game consoles: getting IP on the correct VLAN, but don't have internet connectivity outbound. I must have some conflict or am missing something. If anyone has any tips on what to check for misconfiguration, etc., I'd love to hear it! Thanks again.

Hi @rcoleman-netgate, thank you for your time. I feel so stupid now, there is perfectly logical explanation. Tailscale, it's one of the reasons I started to use pfsense because I am behind CGNAT. And because most of my testing and experimenting coming from my laptop I totally forget to check Tailscale client on desktop, somehow it was connected and working in background. Last time I checked I am sure it was disconnected and really don't have need for it on desktop machine, except maybe for experimenting because there is already tailscale on pfsense itself and is working great.

@jt40 said in Wifi calling setup in PFSense: In any case, the ports 500 and 4500 are required by Apple, not even my carrier: https://support.apple.com/en-us/HT202944 " IKEv2" It's for a VPN. You initiate it locally, it goes out and locks on to the Carrier's system. [image: 1667342989939-screenshot-2022-11-01-at-5.49.38-pm.png]

@viragomann said in Blocking effectively the firewall access from VLAN: @jt40 said in Blocking effectively the firewall access from VLAN: Regarding the DNS, you're right, but it doesn't use the port 853, I'm not sure why... You will configure the clients to use DoT. However, I can't see the need to use it within your local network. It probably makes sense for DNS requests going out to the internet. If you really want to use DoT on the DNS Resolver, you need to provide an SSL certificate, which the clients are trusting. Unfortunately the 4th rule is necessary, the traffic doesn't pass, by default it blocks everything. Can't imagine that it makes any difference if both rules have "This firewall" as destination set, as you stated above. Anyway, I found the way to block the internal IP addresses: https://docs.netgate.com/pfsense/en/latest/recipes/rfc1918-egress.html This only blocks private traffic to IPs from going out to WAN. This would be the case if you request an IP that isn't part of any of pfSense networks. But it doesn't block access to other internal networks. I need the traffic to pass through that Router/Gateway. I'm not sure how to set this rule... I mentioned above already, how this could be done using an RFC1918 alias. Looks like this on my pfSense: [image: 1667256200591-ba9bec57-af97-4f80-b4a4-5b71d392abc3-grafik.png] To allow access to your modem, you need to add an additional pass rule above of this. I didn't enable the DNS forwarder, so only PFsense can resolve domains. In the setup of DNS over TLS I see the option for the certificate, it's set by default and it's the default one from PFSense, but it doesn't work with that port&protocol, even if I set up only DNS over TLS. It seems not listening on that port at all, just looking at the answer of "dig". I need to make a correction, the 4th rule now is this: ACCEPT ALL from_this_VLAN | with ANY protocol | TO RFC1918 (inverse rule) | port 443 (HTTPS) It allows internet traffic on port 443 with HTTPS. Thank you, I followed your suggestion to use only that alias to make it easy (inverse or not), but it's also the correct way to do it. In future, I'll try to automate everything with floating rules, I have something like 15 VLANs.

@leemajors said in Open port Please help !!!!!! tired and tired: Synology photos https://kb.synology.com/en-us/DSM/help/SynologyPhotos/photos_desc?version=7 From DSM: Go to Main Menu and click Synology Photos. Via web browser: To launch Synology Photos directly in a browser window without signing in to DSM, go to Control Panel > Login Portal > Applications > Synology Photos and configure connection settings and enable a customized alias or port. You will then be able to use the following address to directly access Synology Photos: http://Synology_server_IP address/photo Port 5000 is a horrible port to have open to your dsm. That is the default dsm login port [image: 1667338877342-dsmports.jpg] Did you change those, and setup photos to use 5000.. I do not have photos installed.. I am in the middle of a whole disk migration.. The backup is taking forever, moving like 12TB to a disk via usb, and then have to restore them to new 18TB drives.. So my dsm is pretty much out of commission until prob friday afternoon - but after then be happy to walk thru a setup of photos, etc.

@jt40 said in Deny RFC 1918 properly: I'm not using floating rules to make it easy for now Well that policy is clearly a floating tab only rule, because it is egress "Navigate to Firewall > Rules, Floating tab" From the procedure you just linked too. If you had a rule that was actually being evaluated that contained rfc1918 and your destination was rfc1918 then it would be blocked, be it on pfsense wan, or upstream of that.. Now if your destination was actually a public IP, and pfsense has a rfc1918 transit then no it wouldn't be blocked.. If you want someone to take a look at your rules, and bless them or point out issues - posting pictures of the whole tab is going to get way more people interested in commenting..

@jt40 if there is nothing listening, there is nothing to exploit - packet is just dropped without anything to pick it up.

@rcoleman-netgate said in Access to Webpages while on VPN: @overcon The outside NAT rule will not apply to the inside OVPN connection. Just load :8080 while on the VPN Ah, ok. I didn't even think of that. I was thinking that with the VPN connection, I still wanted to go out and back in instead of just going directly to the resource.

@freek_box [image: 1667123917413-screenshot-2022-10-30-at-09.57.42.png]

@felix-4 said in Strange DNS lookups: Hmmm But if it is routed through IPV4, well ok that's not good.. exactly.. If your limiting outbound, it prob would have never worked. I believe the port was UDP 3544 To be honest I would of hoped MS would of shut down all their relays by now.. And that teredo.ipv6.microsoft.com no longer actually even resolves.. But that doesn't stop old clients from still asking for it ;)

@planetinse as to sneak through comment.. Lets say you created a rule with say 192.168.0.0/16 and any 192.168.x.x IP would be allowed. While that might allow access to your other local networks routed through pfsense, it wouldn't allow access to the internet because of nat, pfsense would only be natting the network actually assigned to lan interface. Also return traffic wouldn't actually work anyway because if say someone used 192.168.y.100 while your lan interface was 192.168.x/24 while the client might be able to talk to pfsense IP because of its mask setting, pfsense wouldn't know to talk back because the IP is outside the scope of the interface on its lan.

@mcgrewjdm I saw your images, especially the first one showing the firewall rules for IPv4 and IPv6. These are fine : all traffic will pass. Btw : I do presume your OWNERS interface is set up with an IPv4 like 192.168.120.1/24 and you did not select an upstream IPv4 gateway. I'm pretty sure : If the word 'VLAN' didn't exist in your question, the issue wouldn't exist. I say upfront : I never worked with VLANs, so, I imagine that traffic will pass if the incoming packets are VLAN tagged with x, where x is the VLAN number. You could test this doing some packet capture on the OWNERS network. The thing is : when working with VLAN, devices on both side needs a corresponding VLAN set-up.

@gertjan One printer wired and one printer wireless

@rcoleman-netgate I found from the logs that it thought I was a bot scanning the network. I really appreciate all the help you guy have given thank you so much!

@ne_77 that rule you posted has zero evaluations see the 0/0 B. So nothing is matching that rule.