@bingo600 That worked thank you. I was going to try and show it but my reply containing the traceroute was flagged as spam. Interesting. Thank you again for your help.

Hey all, Saw this topic. I used it to redicrect my chromecasts to one of my pihole instances and it works! Now, the problem is, I have two piholes. Is it possible to just add a same rule to make both available for the chromecasts, in case one pihole fails?

@viragomann Thank you for your response. My apologies for getting back late. I placed rules on the DMZ port and that has appeared to fix most of the issues. So thank you very much for that.

First: Bumping very old topic I know, but I believe still very relevant to clarify. Also, this forum topic was top on my searchlist when searching on this subject ;-) The reason I came upon this thing, was my firewall(pfsense) log, getting filled up with these entries every 3 seconds. I have also struggled to find out what the heck this was. I have spent loads of time on it. In the end, trial and error, leaving out every network part 1 by 1. I found out, it comes from the ISP local-internet(whats it called?), all the isp-costumers, and when someone's modem is starting up, it sends dhcp request out on the network, speeding right through my isp-modem because it is in bridge mode, and ends up on the WAN-side of my pfsense router. Therefore the block bogon(private range ip-adresses), in the firewall log. In pfsense firewall and settings, I can tick off to NOT log those "block bogon" packets, if I those to. RafterX out.

@video2go The 1100 is not going to give you full 1 Gbit speed. Re: port forwarding, the destination address should be your wan address. Packets arriving on WAN are sent to the NAT IP.

@jarrodsfarrell Did fix the DNS IPv4+6. Post filter is getting tripped so I can't edit my post.

@steveits exactly ;)

@rcoleman-netgate said in Same Tracking ID across multiple firewall rules after copying rules to other interfaces: @offstageroller If you selected multiple rules and clicked the "copy" button on the rules page to create new ones they will have the same tracking ID. This is a bug in the current release that is being fixed in the next. https://redmine.pfsense.org/issues/13507 Thank you for letting me know! I won't create a duplicate bug ticket then :). If anyone else runs into this issue, an "easy" solution is to duplicate each affected rule, one by one, on the affected interface, and then delete the original rule above it. Apply those changes and you'll have unique id's for each rule on that page.

@ofcoit Well you got something else wrong then.. Did you do the sniff like I asked? If you remove them does it still fail? You can look at the actual conf file. cat /var/dhcpd/etc/dhcpd.conf This conf file is generated, if its not showing your interface IP in their for option routers then something is wrong. Did you maybe have a space or something in that field?

@steveits Thanks - per my initial comment, I did add ads.google.com to the DNSBL (and should have mentioned that I did a Force Update) but that made no difference. It wasn't necessary to flush the DNS on the Mac, as soon as I disabled pfBlocker (and did a Force Update), I was able to reach ads.google.com with no problem. I'll have to look at the logs I suppose

@vsaad if your controller is at another site that is connected via a vpn then all traffic between controller, server, client, etc. should be through the vpn..

@johnpoz said in floating rules not working: @enesas Well that rules show that it has never been evaluated, see the 0/0 B under states. For a rule to be evaluated, it has to match. And if floating you would want quick marked on it. So yeah you would have to have the correct interface selected.. Also with block rules, if there was already existing state that allows the traffic, the rule would never be evaluated because states are looked at before rules. But you need the double little green arrows on floating rules to mark them as quick. [image: 1665584975760-quick.jpg] yes i ticked fast and it worked. I skipped it. Thank you for your quick reply.

@jims said in Alias to block cameras from WAN only working for some cams: @jarhead I don't understand the difference between WAN and internet. My pfsense box has two network ports - the one connected to my internet modem (WAN) and the other connected to my LAN. It seems that setting that destination to any would keep the cameras from connecting to anything but perhaps that is ok as all connections to the cameras should be initiated by the DVR (or my PC if I am accessing them directly for some reason)? Does what John said make sense to you? He is explaining it exactly but you may not understand it. Just keep in mind, any of the "net" aliases, wan net, lan net etc, are just the directly connected network. So the WAN net is the subnet your ISP assigned to your service. Let's say you're public ip is 10.10.10.3 with a subnet of 24, and your gateway is 10.10.10.1. By blocking the WAN net, that's the only network you blocked. Chances are you'll never need to access anything on that network so you're not really blocking the cameras from anything. Now, your traffic from your LAN goes to your gateway (10.10.10.3 in this example), then goes to your ISP's gateway (10.0.0.1) and then out to the internet, BUT none of your traffic is destined for anything on that network so it goes right out to the internet still. As for the ANY rule, you only have one subnet, so local traffic never even goes to your pfSense, it's layer 2 traffic only. So using ANY there will block it from entering the firewall and be blocked as you want it to, but you can still access it locally.

@whitekalu how can you do it? I mean clear 224.0.0.1. Can you show me?

@dyp1985 Dave, all I'm able to find on your topic appears to be your own posts elsewhere. I think ensuring both devices are on 2.4 GHz is a good path to explore—you didn't clearly indicate if your failed attempts were with the iPhone 12 or 8. I have seen your struggle first hand. I have several WiFi SSIDs in use (as my access points can broadcast sixteen separate WiFi signals). One SSID is dedicated to Nest and it's on a dedicated VLAN. I do need to ensure my phone is connected to the Nest SSID or setup fails. My Nest SSID is 2.4 GHz only. On second thought, I don't think setup in this case, but the Nest devices get programmed with the same SSID and password the phone is using. So, I need to put the phone on the SSID I want the Nest devices to use. HOWEVER, after setup completes, I can move my phone off the Nest SSID and the app continues to work EVEN THOUGH my phone uses 5 GHz on it's normal WiFi SSID which is completely different. Off the top of my head, I believe my router is configured to permit the Nest VLAN and my regular phone VLAN to talk to each other (but only on the ports I mention above). If I'm wrong about that—I need to re-examine the web I created to know for sure —then the phone app doesn't communicate to the Nest devices directly, and goes through the Nest servers instead. I'm pretty sure they talk locally. My uncertainty above isn't the point I'm trying to make, however. My point is once the devices are setup, you may not have as much trouble keeping it working. So, here's what I suggest, since you've had success with the hot spot method: TURN OFF your router. Set your hot spot to use the exact same SSID and password that your router uses. Perform the setup. If you're successful, the Nest devices will be programmed to connect to the same SSID that your router broadcasts. Now, turn off the hotspot and turn your router back on. See if that contorted method gets you through the setup and gets that success "transferred" over to your router. If that succeeds, you'll at least have a work-around to get the setup done. I always have setup glitches too because of the security and VLANs I've created and that makes things more complex. But, once I get it working, I don't have troubles. My second thought involves your WiFi settings. My access points have a setting to allow or deny devices talking to each other. The "deny" configuration would be good security in an application where you might have public users or insecure users that have no business attempting to communicate with other users on the WiFi. See if your router/WiFi has any settings that look like this one. My debugging brain always starts by turning off all security or weird settings and, if that works, turn them back on one at a time to try to narrow down the problem. Another thought is, I know setup uses Bluetooth. It's not entirely clear to me, however, if setup requires Level 2 (Ethernet packet) communications or only requires Level 3 (IP packet) communications. Is there a WiFi/router setting on your device that sounds anything like "Allow L2 packets" or mentions L2/L3 at all, or sounds anything like that? Chromecast requires L2, and a setting that mentions enabling Chromecast is worth trying. But I'm not certain Nest setup requires L2. Please post back what you find. Best wishes! Kevin

@Jarhead Any thoughts on this please or do you need more detail?

@kom yeah while I agree out of state are not all that uncommon to see. But seems odd that they our blocked on the outbound, they shouldn't of been even allowed into the wan if the state was gone. And those are answers to the client that created the connection.. see the source is from 443 (https).. Maybe it was pfsense closing the state when it saw the client sending the FA, but the answer was blocked? I normally do not log default blocks, so haven't seen stuff like that before. I only block syn blocks, and common udp ports. So what pfsense blocks by default other than syn I don't care to see in my logs. Unless troubleshooting something - and have had no issues to trouble shoot lately ;) So logging of default is just turned off.

@jakjr When you check out the JSON file, there are multiple sections, each beginning with an ID and containing an URLs subsection and an IPs subsection (containing networks). So search for the host names or wildcard domains you need and take the networks from the correspondent sections and build your own networks list for using in an URL alias.