You don't want to be routing local traffic through a transparent firewall. Replace the Mikrotik with Pfsense. You will end up with a better firewall.

@keyser
That might be a good idea to test next time my friend is abroad.
Thank you for this tip!

@viragomann I've been using the failover gateways for about 2 years. Monitoring has been setup and working for a long time.

Seems no matter what I do though, the rules do not care what gateway I define. It just uses the group regardless and fails over to the cellular ISP.

Not sure where to go from here.. I tried this on a completely fresh instance of pfsense in a test environment too and it does the same, so I'm sure it's me doing something wrong.

It should be as easy as make a pass rule on LAN with IP as the source, any as the destination, any protocol and set the gateway under advanced settings to either the WAN you want to use or the gateway group you want to use. Put it at the top of the list, save/apply and reset the firewall. Is this not correct?

@johnpoz thank you again for the OpenWRT recommendation. It is amazing, I have it running on an Archer C7. Never going back to the stock firmware it is amazing. I am perplexed at how they got that to run on such a small set of code. Just wow!! (I still love my pfSense never leaving it) but I got to tell you OpenWRT can hold its own with the 7000+ packages even my favorite Squid is on it.

@radiostyrd said in pfSense blocking icmp from my gateway ip every 30 seconds.:

Is this normal?

Depends on you.
It's like having your front door right in front of the play-ground of a school. Don't be surprised that your doorbell will 'ring' every minute or so.
Or, at home, you shut down the power to the doorbell push button, and problem solved.

With pfSense, you tell the default, hidden final "block all" firewall rule to shut up :

ec607004-0090-4353-a2fa-b30c8ed92764-image.png

Internet is full (loaded) with traffic trying out any kind of host, to 'see' if some 'port' is open .... and that that's fine, that's how things are these days. Just let them hit the fire wall. That why you have the firewall in the first place.

@radiostyrd said in pfSense blocking icmp from my gateway ip every 30 seconds.:

the firewall logs that pfSense blocks ICMP (ping?) from my gateway ip every 30 seconds.

In this case, take some extra 2 minutes, and see who is sending the traffic.
Where it comes from.
Internet traffic is like an postal envelop using by you when you sue the original snail mail services : on the outside, there is the destination address, and the sender address. (that is, it used to be like this in the past, these days that's less done for whatever reason)
If the sender is, for example, your ISP, there might be a reason that they are doing this.
Like : (just joking) : as your equipment doesn't' reply to the ping, the ISP considers your equipment down and they stop your connection ^^
If the ping comes from your neighbor : go ask him ?!

Thank you to everyone who contributed to this thread. You helped me get my VLAN working and appropriately secured and isolated.

OK.This is strange.

I can sucessfully use the "Import" button (which takes me to the "Bulk Import" page) on the main "Aliases" page to then create the alias with a range of IPs (using the "Aliases to Import" box on the subsequent page) how I want them.

If I attempt to import an exported alias XML from another box where I've created the alias how I attempted to do so to begin with, it doesn't quite work correctly.

1.png

If I then attempt to edit what I have there....

2.png

Any attempts to populate one or more of the address boxes (left column) there then save it, I get a similar looking "is not a valid host address" error as before. There's a very slight difference this time though. If i populate all three of those "testX" rows that you see in that screenshot, then try to save it... the error shows like this

3.png

So, there's for sure something jacked up with the parsing of the data once it gets into the box.
This rules out the "is my data getting munged before it even gets to the box" question.

@Bob-Dig

That's what it was, thank you.

@willyd said in pfBlockerNG "broke" the firewall . . .:

Is there such a think as "closing" a topic on this forum?

No. You may be able to edit the title.

@Silentknight plex is a simple port forward.. I sure wouldn't enable UPnP.

@JonathanLee

The concept of "port 0" was probably be introduced to make people aware of the fact that a protocol like ICMP doesn't use a "ports".
Dono why "0" was chosen.
N/A is probably also a good choice.
Or a "syntax error".

Remember : Gybson had to make pure rocket science (back then) clear to the public.

It is the modem I disconnected everything and ran the test again same ports same issue. That is ISP stuff not my concern my stuff is protected. I got the 2100 it has the stp ports, again consolidated wants that modem, I am just gonna leave it how they have it.

@SteveITS ^ exactly, I do this for services I share to the internet.. Works great.

No responses? Are my rules really that bad? 😜

@CharlesT there is no difference..

@CharlesT said in Help needed with network design (Client isolation on same subnet):

I’ve been trying to isolate a single device from communicating with other devices on my network while still reaching the internet.

Some switches can be configured to do what you want.

@johnpoz

Quick question, slightly off topic.

I set up a OpnVPN client last night, which works fine, eventually! However, with regard to how I have now got the DNS resolver set up, is there anything I should do regarding DNS i.e. use the VPN suppliers DNS or leave as is ie. Down to Pfsense?

Also, was looking to add multiple OpnVPN clients into Pfsense for different countries, which will be useful for the upcoming football season, currently I use a vpn app on the firestick to change countries as need be. Whilst I believe multiple VPN clients is relatively easy, is there an easy way to switch between them at will?

Thanks
Steve

@Gummi again broadcast traffic isn't going to pass your router.. Your not going to get name resolution via that across subnets.

What rules you put on pfsense isn't going to matter.