@bob-dig I'm giving it another try with aliases and it seems to be working. Shouldn't have jumped to conclusions it seems. I'll monitor it for a bit and see how it goes. Appreciate the help.

@steveits Thanks for your help, that worked. After restarting Pfsense it starting working. Thanks again.

@danievr said in Current pfSense (through to at least 21.05.2), SIP phone behind firewall, incoming call audio cuts out after 25-30 minutes, how to fix?: @tea Have you fixed it? Things you could try: NAT keepalive of 15 seconds; Register Expires 30 secs; If supported, use TCP instead of UDP; If your calls are proxied through your provider's servers, they might terminate the call based on policy. dslreports.com has a lot of info on VOIP. It turns out that this most likely was something in the interaction between the particular VoIP phone and the particular IP telephony provider through which I received most of my incoming calls. For reasons unrelated to this issue, I ended up needing to switch VoIP providers. Having made the minimum changes necessary to connect to the new provider (essentially server and authentication details), the problem seems to have disappeared. I wish I knew what the actual problem was, but at least it's working for me now.

@gusto it would be up to you if you don't want that last rule - because your allowing internet access via your second tcp/udp rule - as long as your pointing them to some external dns. and only want http and https access then yeah that should work without that last rule.

@needhelp404 One of the issues you have with appending is that rules are read in a top-to-bottom order and where would appended rules go? It's a PITB, yeah, but the best solution is manually changing the file and reimporting.

@steveits You were right localhost works !

@wvdw I do not believe its possible via looking at the code of the easy rule to leverage the "this firewall" alias how your wanting to do it. I might of missed something, I am by no means any sort of coder - I can hack my my way around a script and normally follow what its doing, etc. But yeah looking at the documentation for the easyrule script, I see no mentioned of being able to do what your asking. https://docs.netgate.com/pfsense/en/latest/firewall/easyrule.html#easyrule-in-the-shell "The source code of those scripts can be adapted for adding firewall rules in other ways, but that is left as an exercise for the reader." https://github.com/pfsense/pfsense/blob/master/src/etc/inc/easyrule.inc

@jonathanlee said in Jump in blocks traffic "block bogon IPv4 networks from WAN (11001) 0.0.0.0:68 255.255.255.255:67 UDP": The ISP already told me to ignore it. That was there official response? Yeah they just blew you off.. Sad to hear..

@versionboy If the PCs still had an IPv6 address assigned that hadn’t expired yet that might still try to use it? At this point if you have 6 available I would just keep it active. :)

@offstageroller happy to help... If you see stuff you have questions on via tcpdump, etc. happy to help.. Happy Hunting..

@mytsuu Almost forgot: thank you for answering. :) The metric seems like a clue, AFAIK it should only go as high as 255, hex FF. Makes sense. It's an (basic) area I'm not that familiar with. The IPv6 metrics are nearing 4 digits, but if IPv4=8=255=FF, IPv6=8=FFFF=idon'tknowmath-65K-maybe makes sense, as much as that passing as a formula in my head.

I was a USG user when I started learning VLANs and firewall rules. So to me it was the only way I knew at the time. For all I knew all systems would work the same. Boy was I surprised when I started using pfSense. As pointed out above, pfSense is building states with every pass rule, which are basically invisible in the UI. There is no need to create talk back rules in the other VLAN. We (as pfSense users) are aware that by default, VLANs cannot start connections unless pass rules are created for that VLAN. As UniFi works completely reverse (all inter-VLAN traffic allowed by default) users need to create a block all traffic rule in each VLAN. This is just guessing on my part, but requiring to add state rules above the block rule may give starting users more insight in the logic of top down firewall rules. Actually I can't think of any use case where one would like to allow established/related traffic without also having the counter part rules on the VLAN that is initiating that traffic. Pete

@richardeb match rules have no effect on traffic. It always flows through to the next rule with the alterations made.

@johnpoz I do on occasion need to get to the ATT Router, but it does not work if I use 192.168.1.0/24 on the inside because pfSense tries to route that network to the ATT router. I did not try too hard as I am not yet close to using up the other 192.168 networks... but I am working on it.

@viragomann @johnpoz thanks a lot guys !! you always been very helpful last 2 years. I almost learn how to configure pfSense

@steveits Yes I can confirm that both servers are connected at 1000base-T gigabit Ethernet at full-duplex. Both interfaces (WAN and LAN) on the pfSense computer are also 1000base-T gigabit Ethernet at full-duplex. Would it hurt to hard-code the speed and duplex on both interfaces in pfSense instead of auto-negotiation? I would also like to mention that the ASUS RT-AC68U router is gigabit. As for the speed tests, the speeds slightly increased with the pfSense router along with the ping times decreasing. With the ASUS router, the download speed was 223.73mbps, upload speed was 174.55mbps with a ping time of 11ms: [image: 1649897420276-asusrouter.png] With the pfSense system, the download speed was 228.96mbps, upload speed was 195.69mbps with a ping time of 3ms: [image: 1649897493768-pfsenserrouter.png] To my knowledge all the other services are unaffected on pfSense. We have no problems using Zoom or watching movies via streaming services. That's why I think it may have something to do with the NAT or firewall Rule for Syncthing, or some other setting in pfSense that affects Syncthing traffic. Currently I'm looking to see if the NAT Reflection setting may be the culprit, but I won't be able to test until I go over to the house with the fiber internet again in the next day or so. Oh, and lastly, the other site has Spectrum cable internet with the standard upload/download package already running pfSense on a Dell Optiplex 755. I suspect it is something in the pfSense computer at the fiber location because that was the component that was changed between the servers.