@orangehand You have to use the most important interface : the console access. Or a SSH access. But keep in mind that SSH isn't available when you install pfSense on a device, as interfaces aren't assigned (known) yet. See the pfSense documentation. These two accesses are not some optional thing. Without them, you're "doomed". The console access or SSH permits you to enter commands. Like sockstat -l | grep '8082

@chris420 In any setting in pfSense, where you can use the aliases, you can state the protocol. So why you would state it in the alias?

@akuma1x Yeah... just dug around in nyx and found that. Something definitely amiss - I see 20K incoming connections but only 3.3K outbound. As a non-exit middle node, they should match - or so I think. Checking in with the TOR community to confirm that.

Thank you @viragomann, I did not know that ! For the benefit of future readers who may not have the time to read the wikipedia article. It looks like the QUIC protocol (which runs on top of UDP), might some day replace the TCP protocol. If you're configuring a firewall, you want to allow outgoing TCP and UDP traffic to 443.

Thanks for all of you :) It works, just re-Install it and configure GeoIP. No DNS Rules needed. Cheers, Nizo

Based on a recent similar issue, I'd also recommend taking a look at the inbound firewall rules on the NAS. I had a similar problem recently where ping wasn't working and the summary was that it was caused by the destination machine blocking inbound ICMP traffic (the protocol that ping use under the hood) https://www.contradodigital.com/2022/07/25/how-to-troubleshoot-ping-icmp-not-working/

@johnpoz to be honest client registering its IP should be on the client to do that. Yes, but for this the client must be informed by pfSense under which IP the DNS can be reached. I do not need it necessarily. It would be just nice. @steveits There is a BIND package for pfSense. I have never used it. Yes the package exists. It does not offer the possibility to import an existing configuration. @stephenw10 Yeah, there are a lot of things still missing from IPv6 for dynamic connections unfortunately. Yes there are some things. pfSense is still a damn good piece of software (I don't know Netgate's hardware!). I thank everyone and especially @stephenw10 for the support. I think at this point we can leave the discussion. Because of Bind I might make new thread

@pomegranatesculpordwarffargo said in TCP:SA Block and Default Deny Rule 1000000103: 10.0.101.20:51007 -> 10.0.100.30:443 ESTABLISHED:ESTABLISHED So you see it sending to pfsense to 10.0.30.443 for, which is your nas - but not for the vm on the same IP on port 8080?

@johnpoz hi, i finally got hold of another laptop, plugged it in and it worked as it should. No problems, as you suspected the problem was with the other laptop. The weird thing is that when i plugged in the original laptop it also works fine now. No sign that there was ever a problem. I'm mystified, all the same cables. Just 4 days of inexplicable headache. I've rebooted and wiggled cables and can't replicate the problem, so unless it returns I have to guess that the problem, whatever it was is gone. So I say thanks to everybody that spent the time to give advice.

@burnerman unifi can do L3 adoption to manage stuff, and they did the ability to do a tagged management vlan as well. Not sure on the omada stuff - but from what I read and see, its like they just copied all of unifi code ;) I run my controller on a vm on my nas.. The VM just sits on the management network where my APs are, this is an untagged network to the AP.. And that vlan actually comes in tagged to my NAS, and the VM just sees it as untagged..

Just to add info about ports: https://youtu.be/g2fT-g9PX9o?t=300

The only thing with system alias works here is my WAN Interface. I can create rule with "WAN Net" oder "WAN Address" and this works, but no other interfaces.

@rub75f So you set up an IPSec server on pfSense with intention to connect to internal devices. No, there should be no more to do. However, it seems your mobile device cannot connect. So do you have a public IP on pfSense WAN? Or is there a router in front of it? If so how did you set up NAT on the router? Do you have a static public IP or a dynamic? On pfSense WAN you will have a firewall rule allowing the IPSec packets. So check if any packet hit the rule.

Floating rule worked perfectly on quick. Thank you!

@overcon said in Losing IPCamLive Stream: I didn't do that, THANK YOU! I didn't even know you had to apply the pass list like that, so thank you so much. I just applied it, let's see if it makes a difference, I think it will. Thanks again! The GUI is simply used to create the required text-based configuration files used by the Suricata binary. All of the actual traffic inspection, alerting, and blocking happens in the binary. The binary only reads its configuration files upon startup. So that means most configuration changes are not seen by the binary until it is restarted. Also, in the case of custom pass lists, they must be explicitly assigned to the desired interface before they actually function. You can create an unlimited selection of pass lists, but you can only assign one at the time to an interface.

@viragomann perfect...!!!!!!!! problem solved THX

@rcoleman-netgate thank you