@mvikman said in ICMP to VLAN's GW: if the DHCP and other hidden auto-generated rules were visible and un-editable in the rules list I hear ya - and yeah that would be a nice feature, say a toggle to show hidden rules maybe. You could put that in as a feature request on redmine.. edit: guess there has been one for a really long time https://redmine.pfsense.org/issues/4828 But you can always view the full rules list. https://docs.netgate.com/pfsense/en/latest/firewall/pf-ruleset.html#viewing-the-pf-ruleset example - not full list, snipped some of the interfaces but you get the idea # allow access to DHCP server on LAN pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 ridentifier 1000002541 label "allow access to DHCP server" pass in quick on $LAN proto udp from any port = 68 to 192.168.9.253 port = 67 ridentifier 1000002542 label "allow access to DHCP server" pass out quick on $LAN proto udp from 192.168.9.253 port = 67 to any port = 68 ridentifier 1000002543 label "allow access to DHCP server" antispoof for $WLAN ridentifier 1000003570 # allow access to DHCP server on WLAN pass in quick on $WLAN proto udp from any port = 68 to 255.255.255.255 port = 67 ridentifier 1000003591 label "allow access to DHCP server" pass in quick on $WLAN proto udp from any port = 68 to 192.168.2.253 port = 67 ridentifier 1000003592 label "allow access to DHCP server" pass out quick on $WLAN proto udp from 192.168.2.253 port = 67 to any port = 68 ridentifier 1000003593 label "allow access to DHCP server" antispoof for $TEST ridentifier 1000004620 antispoof for $NS1VPN ridentifier 1000005670 antispoof for $W_PSK ridentifier 1000006720 # allow access to DHCP server on W_PSK pass in quick on $W_PSK proto udp from any port = 68 to 255.255.255.255 port = 67 ridentifier 1000006741 label "allow access to DHCP server" pass in quick on $W_PSK proto udp from any port = 68 to 192.168.4.253 port = 67 ridentifier 1000006742 label "allow access to DHCP server" pass out quick on $W_PSK proto udp from 192.168.4.253 port = 67 to any port = 68 ridentifier 1000006743 label "allow access to DHCP server" antispoof for $W_GUEST ridentifier 1000007770 # allow access to DHCP server on W_GUEST pass in quick on $W_GUEST proto udp from any port = 68 to 255.255.255.255 port = 67 ridentifier 1000007791 label "allow access to DHCP server" pass in quick on $W_GUEST proto udp from any port = 68 to 192.168.6.253 port = 67 ridentifier 1000007792 label "allow access to DHCP server" pass out quick on $W_GUEST proto udp from 192.168.6.253 port = 67 to any port = 68 ridentifier 1000007793 label "allow access to DHCP server" antispoof for $W_ROKU ridentifier 1000008820

@bob-dig said in More efficient way to block other VLANs?: But even now your guest probably can't run a speedtest like Ookla. I think this is unacceptable. Honestly, not really sure I would want a guest that would need to run a speedtest on my internet... get your own damn internet for that!!

@ambrish did you make a proxy certificate from squid and import it into the firewall. https://forum.netgate.com/topic/174070/squid-config-help-certificate-needed-issued-from-squid-proxy

ok, seems like a lot is going on here. after the setbacks of the last post I went ahead and disabled packages that I was not suspecting of having a great impact on performance, like BandwidthHD and Darkstat. And that seemed to improved things somewhat. now, even hours after a reboot I get up to 900 mbits/s, so almost gigabit. Though, when running iperf, the numbers are all over the place, as you can see here: [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 76.1 MBytes 638 Mbits/sec 858 660 KBytes [ 5] 1.00-2.00 sec 86.2 MBytes 723 Mbits/sec 0 754 KBytes [ 5] 2.00-3.00 sec 97.5 MBytes 818 Mbits/sec 35 625 KBytes [ 5] 3.00-4.00 sec 95.0 MBytes 797 Mbits/sec 0 732 KBytes [ 5] 4.00-5.00 sec 90.0 MBytes 755 Mbits/sec 14 611 KBytes [ 5] 5.00-6.00 sec 87.5 MBytes 734 Mbits/sec 0 714 KBytes [ 5] 6.00-7.00 sec 71.2 MBytes 598 Mbits/sec 6 570 KBytes [ 5] 7.00-8.00 sec 93.8 MBytes 786 Mbits/sec 0 684 KBytes [ 5] 8.00-9.00 sec 108 MBytes 902 Mbits/sec 0 796 KBytes [ 5] 9.00-10.00 sec 109 MBytes 912 Mbits/sec 0 894 KBytes [ 5] 10.00-11.00 sec 96.2 MBytes 807 Mbits/sec 156 694 KBytes [ 5] 11.00-12.00 sec 77.5 MBytes 650 Mbits/sec 1 576 KBytes [ 5] 12.00-13.00 sec 108 MBytes 902 Mbits/sec 0 704 KBytes [ 5] 13.00-14.00 sec 104 MBytes 870 Mbits/sec 0 809 KBytes [ 5] 14.00-15.00 sec 106 MBytes 891 Mbits/sec 55 679 KBytes [ 5] 15.00-16.00 sec 104 MBytes 870 Mbits/sec 8 576 KBytes [ 5] 16.00-17.00 sec 98.8 MBytes 828 Mbits/sec 0 697 KBytes [ 5] 17.00-18.00 sec 108 MBytes 902 Mbits/sec 0 806 KBytes [ 5] 18.00-19.00 sec 92.5 MBytes 776 Mbits/sec 46 660 KBytes [ 5] 19.00-20.00 sec 95.0 MBytes 797 Mbits/sec 0 766 KBytes When I disable openvpn I get slightly better results, as well as when I disable pfBlocker, but for me they are worth the impact, for now. Still, I am convinced that if I get to make Hardware LRO work my throughput would improve. Any input on how to make that work is highly appreciated.

Found the solution here (Protectli's website). The part I was missing after creating the bridge 'Switch' was the following. It's not enough to create a DHCP server and a firewall rule: Navigate to System > Advanced > System Tunables Select net.link.bridge.pfil_member and change its value to 0. Click Save Select net.link.bridge.pfil_bridge and change its value to 1. Click Save

And always pass both TCP and UDP for DNS (like that ) or you can get spurious, almost-impossible-to-diagnose failures when DNS switches to TCP to avoid fragmenting long responses, zone transfers, etc. Look at your unbound. It's listening on tcp/*.53 for a reason. This article looks like it covers the basics pretty well. ETA: This also illustrates why you should Reject instead of Block rules for connections from inside hosts. If you did limit outbound DNS connections to UDP-only and a client tried to make a TCP connection to a blocked server you would want it to receive an immediate RST (Connection refused) instead of sitting there waiting to time out again and again and again.

@the-other said in Strange messages in the firewall log. Why? How to suppress?: @chrisjenk That's interesting for it seems to be quite related to the "solution" mentioned in my link above... there a change from NAT+Proxy to pure NAT solved the issue Yes indeed. Thanks for that pointer since it helped me figure out what was causing the issue (but not why it is causing it). It seems like NAT+Proxy is best avoided unless you simply have to use it.

@chrisjenk said in Firewall auto blocking IPv4 link local traffic on LAN?: so it isn't inconceivable that something somewhere uses it Multicast - sure possible, but that is not what igmp snooping is ;) IGMP snooping is not sending multicast to everyone, only the devices that have jointed that multicast group. This is normally needed in high bandwidth multicast stuff - say you had a multicast TV stream going - would you want that stream going to every single port, every device on your network - this is what multicast is.. Or would you like your switch to say hey only send that to the TV device that joined that multicast stream. Multicast discovery of other devices, IGMP is not something needed in that sort of setup.

@chrisjenk said in Log shows outgoing traffic from 'localhost'?: block out log inet all ridentifier 1000000102 label "Default deny rule IPv4" It shows more then that. Look at the 3 liens above : #--------------------------------------------------------------------------- # default deny rules #--------------------------------------------------------------------------- Go to Status > System Logs > Settings and remove the check from : [image: 1659949112798-36413326-56e3-4d81-8f0b-5807c94a3887-image.png]

@trumee said in FCM ports: My android phone some times doesnt respond to google notifications The important part here is "some times" If the firewall was blocking something - it would always be blocked.. Firewall would be pretty worthless if sometimes it allowed X, but other times blocked X.. implement a 30 minute or larger timeout for our connections over ports 5228-5230. How do i set this in pfsense? you can see the defaults or adjust the timeouts under advanced firewall&nat But timeout for an established tcp connection is 1 day.. Unless you have edited it from default, or set it specific in a rule? If you were seeing session timeouts - by default they would be logged in the firewall by the default deny, and you would see them with A (ack) as the flag. This is an out of state block, if pfsense does not have a state for traffic then yes it would be blocked - ie if the state had timed out.

@michaelcropper Your right, there is much space for improvement but also pfSense is a firewall appliance for businesses, not a home-router.

@midihead7 said in Limiter Schedules vs Rules Schedules: originally having the rule set below another rule that was overriding it Yeah, the order of rules matters. In that case it wouldn't ever get to the second rule. I am not sure how turning off the rule, and killing/"Do not kill connections when schedule expires," will interact with having two rules each with their own rule schedule. You may need to experiment a bit.

Had this problem today, reboot fixed it, and it was first time, but I'm afraid it may return again, when this happened internet connection got broken, so it is serious service interruption. No pfblockerng installed. Have only OpenVPN client export plugin, nut and watchdog plugins installed. Version 22.05

@steveits really? That blows.. Have you thought of cutting the sat connection? I have been directv for years and years and years. And i am so ready to get rid of it - but wife is hard to convince - she knows how to use it, and she loves being able to record 8 different things at the same time.. And this is the last year for sunday ticket on directv, so next year -- I might be able to just get rid of it? Fingers crossed..

@rcoleman-netgate I think I figured it out.. I was missing the NAT/Port Forward rule!

@rcoleman-netgate said in Can not install Ubuntu packages and updates: @lpd7 Can you ping things? Can you resolve yahoo.com? What's in the firewall logs directly associated with the IP address of your Ubuntu machine? From the VM I can ping yahoo.com, google.com etc, I am unable to get to the file locations where the packages reside like http://us.archive.ubuntu.com/ubuntu unless I disable both. I am sure only one is the issue but havent tested out which yet, my question is two fold first how do I track the issue back to the source (I use the reports) and second how do I resolve it, adding sites to whitelist doesnt seem to help. I am jumping back and forth between projects so it has taken me a while to reply. Thanks for your input.

@andreas-1 said in Pass a Mac address through the firewall?: Is it possible to let a specific Mac address pass through the firewall? No. MAC addresses are valid only on the local LAN and are never passed through a router. In fact, the entire Ethernet frame is discarded when received by the router and the IP packet is encapsulated in a new frame, with a new MAC, on the other side of the router.