@johnpoz @bmeeks @Bob-Dig Thank you for your support. Correctly setting a rule in windows firewall on 10.6 that allows traffic from 50.4 helped.

@johnpoz I've wiped all the states although I didn't see the offender in there. The offending address has been blocked for some time which is why I was surprised to see it pop op on an SNMP alert.

@rob76 By default nothing is open on WAN, i.e. no incoming access from WAN is permitted. To allow incoming traffic, you have to add firewall rules to the WAN interface, where you are able to state the protocol,source IP and ports as well as destination IP and port. So you can allow incoming access very granular. From LAN side any outgoing traffic is allowed by default. To get information for setting up go to the Help menu and download the pfSense book: [image: 1656669827578-9478f4c7-6e68-4bd9-aa3d-b2dcc5b8dbae-grafik.png]

@bob-dig said in Default deny rule IPv6 (1000000105) despite firewall rule: So going back to the beginning, why is the IPv6-address missing in an alias created from an FQDN containg the IPv6-address... Because when myhost prepends the FQDN mydomain.com, pFsense DNS forwarder uses the DHCPv4 static mappings. And I am not sure that is incorrect for my use case, but it sure messes with the use of aliases and DDNS until you work around it. [image: 1656645397974-34d1e3ee-bb71-4e6a-a83e-5a7b510095ca-image-resized.png]

@s0p4l1n www.sidefx.com is 206.223.178.168. Your log shows private IPs for the destination? What is the "Houdini" alias set to? Basically the rule matches if the source, source port, dest, and dest port match. So one of those doesn't match. Note the source port is typically random. Per that troubleshooting page, there may be stray packets blocked. "This is likely due to a TCP FIN packet arriving after firewall has removed the connection state. This happens because on occasion a packet will be lost, and the retransmits will be blocked because the firewall has already closed the connection. Another possible reason for the messages is if a packet arrived too slowly and was outside of its expected arrival window. It can also happen when web servers attempt to reuse connections. In each case, the log entries are harmless and do not indicate a blocked connection. All stateful firewalls do this, though some do not generate log messages for this blocked traffic even if all blocked traffic is logged." For that scenario, we uncheck the log setting "Log packets matched from the default block rules in the ruleset" which saves a lot of time and eliminates log noise.

@gpinzone again you can for sure put devices on their own vlan. My point is pfsense has zero control over devices on the same network talking to each other. If you put them on different vlans - then yes pfsense controls the traffic between those vlans. How do you think "guest" network works on a soho router - its a different vlan.. if his goal is stopping devices from sniffing traffic on their own vlan - pfsense has no control over that. That would be done on your switching and or wireless infrastructure with L2 isolation. But again - sniffing on a switch does not show you all traffic anyway. It would just be multicast or broadcast traffic, or traffic to and from the device doing the sniffing. You wouldn't see unicast traffic from A to B, if your on device C. Unless something has been done on the switch to send traffic from other ports to C mac. Or out the port its connected to. This would require config of the switch for span or mirrored port, or something has gone wrong with the switch via an error or an exploit.

@johnpoz @Gertjan @heper Many thanks for your replies. My new ISP is using cgnat with his device having those open/closed, and I happen to be behind one of those shared IPs. I did the sniffer test, and all incoming traffic on those ports for me were blocked. A bit annoying as I formatted the pfsense installation that I had and resetup everything when I doubted my initial installation, then I sought help here. Indeed the princicple of a firewall is to block all traffic unless specifcally permitted. :) Cheers,

hello have you solved it maybe? i'm having the exact issue like you had

@nick-loenders do a simple actual query from a device in the 208 vlan. What specifically is the client set to use for dns? But do a nslookup, dig, host for the query for your override. Unless you setup specific views in unbound - you would know if you did such a thing, its more involved than simple gui click. If client can talk to your unbound, then it would be able to resolve any host override you have set. [image: 1656333070441-test.jpg]

OOOH, while we're at it, one other little thing. how can I configure this so that the VPN will work when I'm on the local network? ie, is there a config that will allow me to just leave it on and connected 24/7 as I come and go off the home network? THANKS!

@ocerna Hi, the post is old but I have the exact same problem, it works fine until I use a bridge on my 3 interfaces. Did you find any solution for this ? Thanks for your help.

@darkcorner said in Only IPV6 for WAN: A new iSP offers me only a static IP of IPV6 type and no IPV4, not even dynamic. Hard to believe. Which ISP and where? It is probably CG-NAT or DS Lite, which doesn't make you statement wrong but it is an important detail you can not left out.

@enesas I guess no one knows how to fix this :(

@gertjan Thanks for the reply. I will troubleshoot more and reply back if I find anything.

I would be nervous about exposing the QNAP. There's a new deadbolt ransomware strain just announced. The previous strain encrypted everything on the NAS and required a bitcoin payment for the decryption key and I expect the current one is the same. https://www.qnap.com/en/security-advisory/qsa-22-19 https://blog.malwarebytes.com/ransomware/2022/01/qnap-update-stops-deadbolt-ransomware-annoys-some-users-starts-debate/

@kom Thanks for the help. I put my chromecast on a different Vlan and blocked the access.

@jarhead I have automatic backups on and will do a manual backup each time I login to pfsense before changes. A valuable reminder. Thank you.

@soulc420 If pfBlocker DNSBL is on the block page is on the router and the cert doesn’t match. Check the dnsbl.log file to see hostnames being blocked.