@viragomann Thanks for coming back. That was one of the approaches I tried, but it didn't work. The access to the VPN was blocked. Anyway, I scrapped everything and started from scratch. I created a block rule attached to the LAN where the src is an inverted list of a few hosts, and the destination is a list of hosts and networks routed via the VPN. This time, everything works great, and the access is allowed/blocked as it should be. I'm not aware of doing any wrong before, so I'm not sure why that didn't work. Maybe I just did something foolish that I didn't spot. I was hoping to cover this with a floating rule. That doesn't seem to be the option after reading about how the flow is processed in pfSense. I will have to replicate the rule across different interfaces.

@viragomann Hi Again, I don't know how he setup his app but I see some IP from system log try to connect from source IP(Guest Device) in Sophose I create only rules to give internet with no restrictions with no additional thing. what I found in system log some block over LAN for this device IP so I need to create rules to allow everything through LAN to WAN, can you guide me??? Thnaks

@doguibnu On pfSense you can sniff the traffic (Diagnostics > Packet Capture) to check if the packets are forwarded properly. Select the interface facing to the server, enter the protocol and port for filtering to avoid useless noise. Start the capture and trigger an access from outside. In case you get nothing, sniff the packets on the incoming interface to ensure, that the packets are arriving on pfSense at all.

I still think this is an amazing hack (Now that STUXnet isn't public) https://blog.checkpoint.com/2018/08/12/faxploit-hp-printer-fax-exploit/ The attack vector is "sooo elegant"..... (Scary) Who would think a "Fax" could do a Network exploit .... Would even circumvent the "Diode" ... If it was the "Closed net printer". Took them a loong time , but where there's will (fame) , power or $$$ ... /Bingo

@newburg Sounds all well.

@swemattias You have to add your firewall rule to the interface where the traffic is coming into pfSense. So to pass or block traffic from LAN devices you add the rule to LAN. The destination can be a single IP, a network (subnet) or any. For internet access you need even any, because the IPs in the internet enfold almost the whole address space. So no other way here. What you're presumably concerning might be to give one subnet access to the internet, but not to the LAN. To achieve this you have to remember that pfSense probes the rules from the top to the bottom. If one matches the conditions it is applied and further rules are omitted. So you have to add multiple rules for this. At least one block and one pass rule. At the top of the rule set add a block rule for the destination of LAN network. Below add a pass rule with destination "any". Now if the destination in a packet is out of the LAN network the packet is blocked, otherwise it's passed. But instead of blocking LAN network only it's often rather desired to block access to all internal networks. A good advice to achieve this is to adding a network alias (Firewall > Aliases > IP, type "network") and adding all RFC 1918 networks to it. Call it RFC1918 and use this alias as destination in the block rule. With this you're still save, when you add a subnet to your setup or change a network space. So what if I want to open a port from wan to server lan. What will the rule look like then? For inbound traffic the things might be more clear. Here has only the source to be "any", assuming you can't state it. The destination will be "WAN address", because the packet goes to it, and you will state a specific destination port. For instance for HTTPS, the dest. port is 443. The source port has to be "any" as well!

Turns out the issue was the client in the guest network. I plugged my laptop into the LAN cable that the guest was using and it was fast. Turns out the guest user had Hyper-V, VMWare workstation and Virtualbox all running at the same time plus a VPN client. After some software removal, the transfer speed between the Guest and the OMV server is fast as expected.

@nil That's good!

@nosenseatall what does the Firewall Log show? Anything at all? Filter by the IP addresses of the involved devices. Do a PCAP on the interfaces looking for those device IPs, etc.

@dhenzler Rebooting between all tests?

This will also work : [image: 1649082897895-ce2f9c64-2451-4993-9611-6dee90efcc8a-image.png] Or, if you have to, you can also use the default 'port 80' (== http) for pfSense. These are the default values (80 and 443). But the Web server 'GUI' ports used by pfSense has nothing to do with all the other web servers on the Internet. They also use port 443. I guess there are very few web servers left on the internet that still use the "port 80 http" Not being able to visit -any- http port on the Internet from the LAN means something 'terrible' has happened during initial setup. @basense said in Can not access http websites: How to enable http traffic? By default, on the LAN interface, there is a rule that permits "everybody can go to everywhere". There is not such thing as "all ok but no http". @basense said in Can not access http websites: I found the line where to disable WebGUI redirect, thanks. It was not checked by default.

Hi @yguerchet As @johnpoz pointed out, this don't work that way. Considering you have NAT 1:1 of the DNS A record (I assume that is your target resolution for the DNS query), all you have to do is to "Enable DNS forward" option and configure as shown below; Host Overrides [image: 1649039519045-screen-shot-2022-04-04-at-11.29.33.png] Save, Apply and TRY to PING toto.fr from ANY local IP address. Make sure your LAN or OPT interfaces allow DNS port 53 "Destination" This firewall (self) between them.

Hi @nosenseatall Yeah! outbound NAT are essential to allow packets between WAN ~ LAN (VLAN) interfaces.

@reg_ed I haven't gone back and confirmed, but if the alphabetical order isn't a direct consequence of the way pf processes wildcard anchors such as 'spam/*' then it's a default chosen for consistency with it. I think implementing (a) or (b) woudn't be very hard, everything's in PHP and seems nicely "clean" to me, but there's significant overhead to getting a sufficiently firm grasp of pf, how pfsense is using it, how it's all coded up, setting up a dev environment and machine.... Literally today I'm about to pull an old Alix board out of a drawer just so I can experiment to fill in the gaps of BSD documentation, which is well written but sparse on details. As I've dug deeper in pfsense, I've found several places where the conceptual overlay of pfsense onto underlying BSD tools breaks down without warning (documentation). I have a few posts in these forums I need to follow up on, but what I've learned is that to answer questions I have about pfsense behavior, look under the hood, rather than expect pfsense to make sense as itself. Besides this issue of interface groups, there is no positive concept in BSD dhcpd of 'no gateway' (dhcp option 3) and the pfsense 'none' flag is permitted in pools, where it (and other pfsense dhcp concepts) get into conceptual trouble with inheritance. And floating rules 'out' on WAN work nothing like expected, and yet 'both' rules work like 'out' rules should (plus a superfluous 'in' direction) which has got to be a contributing factor to why floating rules have a reputation as confusing and hard to get right.

Guys, please help me solve this problem. I was instructed to block access to all social media websites, mainly facebook and youtube. I am using pfsense, installed squid and squidguard, installed a blacklist and denied access to socialnet cathegory. After aplying the configurations, access to all google services, outlook also gets block. This is not what I want, Any idea as to what might be happening? Thanks