@nogbadthebad said in Searching for the fastest way to isolate each VLANs using pfSense firewall rules: may make it a bit harder for you in the long run I concur with this sentiment, vs looking for some shortcut on how few rules you can create to allow or block whatever you would be better off putting very explicit rules on each interface tab. If your looking for simple way to block access to other vlans, assume all your vlans are rfc1918 is just create an alias that has all rfc1918 space. And use that alias on a rule on each interface to block access to your other vlans.

Thank you for your help and sorry for my second message. I had enabled all the ports necessary for the camera but not those of the application necessary to view the images from the camera.

@bob-dig I did, the stream works for 33-35 seconds and then cuts out. Same thing with SSH, works for around 34 seconds and then just freezes. Edit: Well, this seems to only happen with this specific device. I am going to install a second Linux machine and test with that.

@jpvonhemel You're welcome! LVT is a low-voltage technician. I spent most of the 2010s doing burglar, video surveillance, and wireless internet (MESH and AP) installations and support. The current hardware is vastly better than what we had even five years ago when I left the field but manufacturers still don't have a clue usually about TCP vs. UDP.

@lightingman117 said in [solved, I am dumb] Is there a bug with networks alias usage & FW rules?: You're referring to my reject any any rule? No there is nothing wrong with a reject on a local interface - I use them myself, this can cut down on a retrans, and faster notification that its not going to work in a browser or app, etc... If your looking at your rules page, I don't think it updates states column at any specific time - you need to actually reload the page I believe. But yeah if your seeing 0/0 in the rules page, and your not seeing any hits there, then that rule for whatever reason is not being evaluated.. If the rule was used to create a state you would see that in the X/Y where X his how many active states, and the Y is how much traffic. 0/0 means it has not been evaluated, if you refresh the page and still seeing 0/0 and your traffic is working - something else let it pass, be it an existing state, a rule on floating maybe? Or your rule order where for some reason that rule didn't trigger be it source or destination IP/port or protocol on the rule tcp/udp/icmp etc..

So I got this back from Vocolinc and hopefully it helps others. My question: Are they using TCP or UDP? Support: Both. MDNS service discovery using UDP. And then iPhone establishes a TCP connection with the accessory. Support: Launch terminal and try the following command to make sure your accessories are listed at least once: dns-sd -B _hap._tcp So upon realizing that mDNS needed to be configured, I installed Avahi as a service and allowed the interfaces to interact through Avahi. I'm not sure if it helped but I added "_hap._tcp" to the "service" under "reflection Filtering" when I set up Avahi. A short time later, the IOT devices started working again. Problem solved...hopefully permanently.

Should be no impact to Suricata users. I switched the package over a long time ago to use the GeoLite2-Country database (same as pfBlockerNG, I believe). It said the old database would be retired in May of 2022. It is now July of 2022 and the database download/update is working fine in one of my newly minted test virtual machines running Suricata.

@steveits no, it is unchecked.

@crawford source would be the IP of the client, port would be any. You really have no idea what source port a client would use, other than something random above 1023 This webserver is on a different than lan? Then yeah destination would be its IP and port 22, which is the default ssh port.

@steveits thanks for reply :) split dns won't help in this case since the service is using ipv4 only. But the fix above seems to work :)

@chuchi2k2 well since icmp is a stateless protocol, but with stateful firewall still want to keep track.. So it creates states.. I would guess that once you create the pseudo state when you ping from pc1 to pc2, that his state is allowing the traffic from pc2 to pc1 Here pinging from my lan to my dmz (192.168.3) you can see states on both the lan and dmz interface being created to track this traffic. [image: 1657551361767-state.jpg] edit: I just tried duplicating your test, started a ping from 3.32 to 9.100, fails - left it running and started a ping from 9.100 to 3.32 which works, but the other ping was still failing.

@josued1010 We're going to need more information here... How's your WiFi connected to your pf? what rules are you using on the interface? More information here is better than ... well, none.

@curl Resolved ( I think ). I used tcpdump and wireshark to show conversations while a schedule was active, $ wireshark -k -i <(ssh root@192.168.10.1 tcpdump -i re2 -U -w - ) and used pfsense Diagnostics/States to view states after the schedule had timed out. A conversation on LAN2 ( 192.168.10.0/24 ) during active schedule, [image: 1657043540663-wireshark_wrong-direction_2_smudge.png] and Diagnostics/States after schedule had timed out, [image: 1657043637941-pfsense-states-wrong-direction_3a_smudge.png] [image: 1657043648278-pfsense-states-wrong-direction_3b_smudge.png] My explation is as follows ( please correct my if I am wrong ). The conversation in wireshark view was created by the pass rule with a schedule. When that schedule timed-out, pfSense killed one direction of the connection, the state originating on LAN2. The state inbound on WAN was not killed. Rule 59 ( above ) allowed packets from that external IP address to pass in to LAN2 and pfSense created a new state ( 2nd state in diagnostics view ). My hack: At System/Advanced/Firewall & NAT I have set, 'State Timeouts / TCP Established' shorter than the period for which the schedule is inactive. That should force pfSense to kill both states of a connection before the schedule is activated again.

Nevermind i see in Bugzilla its reported and fixed in 2.7.0 So I hope 2.7.0 comes out soon.

@johnpoz [image: 1656938533650-5d85a752-0011-45cd-a961-1eafde07b698-image.png] Here is screenshot, i can get with disabled firewall more than 15Gbit/s, and I have two Intel(R) Xeon(R) CPU E5-2650L v2 @ 1.70GHz I want to use firewall only for geoip blocking (PfBlocker).

@dansci Ensure that the OpenVPN tunnel network is added to the Resolvers ACL or add it manually if it isn't.

@michaelcropper Rules are evaluated when traffic arrives on an interface. Floating rules are more complicated but can handle other types. https://docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html