@johnpoz said in How do I whitelist a few countries only?: @paul2019 well you have them all off Damn, that was it! These are OFF by default and went completely unnoticed until you mentioned it, thanks a lot.

@viragomann I can provide firewall rules as screenshots if needed [image: 1663270845689-12349a1a-c4d0-4f69-b681-acfc6b42dbeb-image.png] lan rules [image: 1663270894272-fc4d8f2d-922b-48a3-b28b-38d051968936-image.png] [image: 1663270924826-b44c21eb-ffd0-41c0-ac89-9625c7650c37-image.png] [image: 1663270957965-2133113a-f725-4740-9c08-5d91c9ad11f5-image.png] open vpn rules [image: 1663271049379-5fa61461-754c-4ea1-984d-5c457ee2c29d-image.png]

pfBlockerNG and the ASN numbers, PfblockerNG will also import JSON but you can't create create a single alias with IPv4 & IPv6. [image: 1663141299281-screenshot-2022-09-14-at-08.41.28.png] https://db-ip.com/as15169-google-llc

[image: 1663090208996-2022-09-13_11-13-36.jpg]

@steveits said in Unable to access with multiple devices through a single interface: Check subnet masks on the router LAN and the device. That's where I was headed too. :)

Então você está vendo esse broadcast na WAN, conseguiu identificar o MAC address de origem? Uma vez identificado o MAC address de origem, você pode pesquisar de qual fabricante é para confirmar, mas eu não me preocuparia. É sem dúvida algo vindo da provedora. De qualquer forma o firewall está dropando pois tem um default deny na WAN.

@fiyawall UPDATE. Actually it appears this FINALLY worked. I killed the desktop VPN and for some reason now the proper IP address is showing. I hope this is the end of this whole journey, what a relief. [image: 1662939483864-screen-shot-2022-09-11-at-4.37.36-pm-resized.png]

Nice result!

@skysurf76 dude we get old, not feeling it is the secret... The sad part is 30 years ago really doesn't seem like that long ago.. Doesn't seem like that long ago I was running around adding co processors to the pc at the job, and installing tcp/ip via a floppy into windows hehehe

@louis2 said in Defining and maintaing FW and NAT rules for multiple VLAN's: And you can not use "actual-vlan-address" and "actual-vlan-net" in that rule set, since those options are not available. So you can never define a rule in the interface group selecting on either the actual vlan's source or destination addresses. Maybe you can express the rule parameters more universally. The "actual-vlan-net" is only meaningful in sources. You can either use any here or an alias, which includes all desired networks. However, an IP out of the interface subnet will be unable to communicate with pfSense anyway. Instead of "actual-vlan-net" you can use "This firewall".

@peterlecki creating a rule at the end that blocks and does not log can work for some traffic. But that rule for example wouldn't stop out of state traffic. wouldn't stop ipv6 traffic. Which is why I asked to see what where you actually seeing in the logs.. And are you seeing that rule evaluated - because again what you posted 0/0 which means that rule was never evaluated to not even not log something.

@bmeeks Awesome info Bill. Thanks a million!

@nogbadthebad said in Firewall states time out during backup?: @furom Have you tried disabling firewall scrubbing:- No, I haven't. I see NFS is especially mentioned at that. After having hit the pfSense documentation I found that this is something that is "highly recommended", thus I will take the initial advice and simply move the NAS. So I've learned that disabling this may absolutely work fine, but at a cost of lowered security. Thanks all for the help and advice!

@ibnkamala I use the computer described in my sig. I'm quite happy with it.

@pastic yeah phones can be horrible at it. They can also point to asymmetrical traffic - but I don't see any SA (syn,ack) which would point more to asymmetrical. If you see a lot of them, and it bugs you to see them in the logs, you can always set up rule to only log SYN blocks. And not log the out of state stuff, by disable logging default - and then creating a block rule that logs but only if its syn and blocked.

@bob-dig But Bob, what I do is simple. I change the IP address that's all. Everything else stays the same. The components of the system are (1) An interface that gets a name and that name does not change (2) A client that gets an ip address that accesses the VPN and uses the aforenamed interface The certificates, the CA are the same. If I just change the IP address for the single client, it works. But if I duplicate the client disable the first one in the list and keep the same ip address (I am just duplicating the client simply for a test) - I can't get out of my LAN. What am I missing ? When you say "live with the consequences" could you explain why these consequences arise ? If I were a betting person, I would say pfsense sees the 1st disabled client and stops there. It does not look for another client. I get if say I were using NordVPN and ExpressVPN (the latter only supports pfsense 2.4) for various purposes I would need to do this but Im using the same VPN provider. I bet I am missing something. As always, thanks.

@dragonfixed00 lease expires too soon? Pretty sure it defaults to 2 hours, but you can adjust that - I have mine set to like 4 days. So dhcp would normally hand out its own IP on the interface for dns and the gateway.. Can your client ping pfsense IP, can it do dns - use your fav tool, dig, nslookup, host on the client and validate it can resolve say www.google.com What rules do you have on the interface? Do you have any rules in floating? If this is a new interface and not lan - there would be no rules, and you would have to create them. Unlike lan which defaults to a any any rule.

@kreki1986 if you want to use pfsense to control access to the nas from your other local networks you would need to put the truenas on a different network/vlan than the devices you want to control access from..

@m_devil Yes, "www.." it is not there. The entry is .mirrors.kodi.tv

@johnpoz said in tracking ID 1000058313: 514 is syslog so where are you sending your remote logs, it shouldn't go out all interfaces - just the interface to get to your syslog server Yes, exactly, in my Remote Logging Option configuration, a vlan is chosen in the "source Address" field and I have two "remote log servers which are in the same vlan as "source Address".